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1. Introduction 
1.1. Dependent function types 


A function has a dependent type when the type of its result depends upon the 
value of its argument. A simple example of a function with a dependent type is 
the unary function zero-vector that, when applied to an integer n, returns an n- 
vector of zeroes. If all vectors are given the same type vector, then zero-vector 


can be given the simple functional type 
int — vector . 


On the other hand, we may choose to make vector types more informative by having 
the type of a vector reflect its length. In this case, vector is not a type constant 
but a parameterized type: (vector n) denotes the type of vectors of length n. We 
can thus describe the type of the value (zero-vector n), for a given n, as (vector n); 
in symbols, 


(zero-vector n) : (vector n) , 


where ‘:’ is read as ‘has type.’ But now zero-vector no longer has the simple 
type given above, for the type of (zero-vector n) depends on n; i.e., the type of 
(zero-vector n) is a function of n. This suggests that we use the type-returning 


function 


An:int.(vectorn) , 


often called a type generator or a type constructor, as the type of zero-vector, 
for it accurately describes the type of the value of zero-vector at the argument n. 
However, to maintain the distinction between functions and types, we use II in 


place of \ as an abstraction symbol for type expressions. We therefore have 
zero-vector : IIn:int.(vectorn) . 


The dependent function type Ilz:A.B, also called a general product type, is the 
type of functions that map an element a of type A to an element of type Bla/z], 
where B[a/z] stands for B with a substituted for all free occurrences of z. Ordinary 
function types are a special case of dependent types, for the type A — B is simply 
IIz:A.B, where zx is chosen to be an identifier not free in B. 

Terms (i.e., programs), which denote functions and values, and type expres- 
sions, which classify terms, are syntactically and semantically distinct in most ex- 
plicitly typed programming languages. This distinction permits static typecheck- 
ing: A term can be typechecked (e.g., by a compiler) in advance of performing the 
computation that it describes. In type systems that support dependent function 
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types this distinction is blurred, for terms can appear in type expressions and it 
may be necessary to perform some computation in order to typecheck a term. For 
example, consider the function 


neg-vector : IIn:int.(vector n) > (vector n) 


which, given an integer n, returns a function that negates each element of a given 
n-vector. When we apply neg-vector to a particular integer, say 23, we obtain a 


function 


(neg-vector 23) : (vector 23) > (vector 23) . 


Now suppose that M is a term of type int and that z is a variable of type 
(vector M). In order to typecheck the application 


((neg- vector 23) z) , 


we must verify that z is of type (vector 23), and this requires checking that 
computes to 23. While typechecking may require computation, it is still possible 
to distinguish between the process of typechecking a term, which may require 
performing the computations described by some other terms, and the process of 
performing the computation described by the term itself. 


1.2. The type of all types 


The type of all types is the type of every type, including itself. In symbols, writ- 
ing ‘*’ for the type of all types, we have A : * for every type A and, since x is its 
own type, *: x. 

By admitting the type of all types, we admit types as true “first-class” citizens, 
allowing types to be treated just like ordinary values. In particular, functions on 
types can be defined by ordinary -abstraction; e.g., writing ‘x’ for pair (i.e., 
product) types, we can define 


three-tuple = A\A:*.AX AXA 


and then write (three-tuple int) for int x int x int, the type of three-tuples of 
integers. Just as functions involving integers have types containing int, so functions 
involving types have types containing *. Thus the three-tuple type generator has 
type x > x; similarly, the parameterized type vector used above has type int > x. 

In the presence of dependent function types, the type of all types allows the 
expression of parametric polymorphism [Strachey 1967, Reynolds 1983], which can 
be found in the programming languages CLU [Liskov et al. 1981], Ada [Ada 1980], 
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Russell [Boehm et al. 1980, Donahue & Demers 1985], and ML [Milner 1983]. In- 
tuitively, we can think of a polymorphic function as a function mapping types to 
values; a polymorphic function has a dependent type because the type of its result 
depends upon the value of its argument, which in this case is a type. Polymorphic 
functions are easily expressed in a -calculus with dependent function types and 
the type of all types because types can be treated as values: Type variables are 
just variables of type *, abstraction with respect to a type variable is done with 
ordinary A-abstraction, and the application of a polymorphic function to a type is 
ordinary function application. For example, let A be a type variable in the function 


ADiA.@ . 


By A-abstracting over this function with respect to A, we obtain the polymorphic 
identity function 


id = Aix. Ar: A.z 
: TA:*.AA. 


When id is applied to a type, it yields the identity function on that type; e.g., for 
the type int — int, 


id (int > int) = Azx:int > int.z , 


which in this case is a function of type (int — int) > (int — int). 

Thus a i-calculus with dependent function types and the type of all types 
subsumes the polymorphic A-calculus of [Girard 1972] and [Reynolds 1974], which 
is itself a very rich and powerful language. Any recursive numeric function that 
is provably total in second-order Peano arithmetic can be represented in this cal- 
culus [Girard 1972, Statman 1981, Fortune et al. 1983]; there are no known un- 
contrived examples of total recursive functions that are not in this class. Many 
interesting generic data types can be defined, including pairs, unions, and homo- 
geneous lists and trees [Reynolds 1985, Bohm & Berarducci 1985]. 

Going beyond the polymorphic )-calculus, in a -calculus with dependent 
function types and the type of all types we can apply the programming techniques 
of the more powerful Calculus of Constructions [Coquand 1985b, Mohring 1986, 
Coquand & Huet 1988]. For example, we can define a form of dependent pair 
type, also called a general sum or an existential type, that is useful for modelling 
abstract data types [Mitchell & Plotkin 1985, MacQueen 1986]. 

The combination of dependent function types and the type of all types yields 
enormous expressive power at very little apparent cost, and it does so in a concep- 
tually clean and uniform way by treating types as values. Unfortunately, we shall 
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see that the typechecking problem for a language with these features is undecid- 
able. That is, there is no effective algorithm for computing the type of a program, 
even though the type of every identifier is explicitly declared. 


1.3. The X-calculus 


This thesis is a study of dependent function types and the type of all types in 
the setting of the *-calculus, which is intended to be a minimal typed \-calculus 
incorporating these two features. The \*-calculus, defined in §2, can be seen as a 
strongly- and explicitly-typed functional programming language in which functions 
are first-class values. Functions (\-terms) are classified by dependent function 
types (I-terms), which in turn have type x. As we shall see, many of the familiar 
properties of typed A-calculi hold for the \*-calculus: 


(1) Reduction is Church-Rosser, i.e., confluent. 


(2) Reduction is type preserving: If M: A and M — N, then 
N : A, where ‘—’ denotes the one-step reduction relation on 
-terms. In other words, evaluation does not change the type 
of a term. 


(3) The static typing property holds: The processes of typechecking 
a term and of performing the computation that it describes are 
distinct, i.e., types need not be checked during evaluation. 


However, a number of expected properties fail to hold for the \*-calculus. In §3 
and §4 we shall establish that: 


(4) Strong normalization fails: There exist terms that have no nor- 
mal form (i.e., their evaluation does not terminate). 


(5) The normal-form relation is undecidable: For two terms M and 
N such that N is a normal form, it is undecidable whether 
M -» N, where ‘-»’ denotes the multi-step reduction relation 
on \*-terms. 


(6) The equational theory is undecidable: For two terms M and N, 
it is undecidable whether M =g N, where ‘=,’ denotes provable 
equality (i.e., program equivalence) under 8-conversion. 


(7) The typing theory is undecidable: For a term M and a type A, 
it is undecidable whether M : A. 
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We normally associate these failed properties with languages in which divergent 
recursive computations can be expressed, so it is surprising that (4)-(7) apply to 
the *-calculus, which has no primitives for recursion and in which recursion is not 
obviously definable. The positive forms of (4)-(7) are enjoyed by a variety of typed 
A-calculi, including the simply-typed A-calculus [Barendregt 1984, Appendix A], 
the polymorphic -calculus [Girard 1972, Reynolds 1974], and the Calculus of 
Constructions [Coquand 1985b, Coquand & Huet 1988]. 

That strong normalization fails (4) for languages like the *-calculus has been 
known for some time; the central result of this thesis is that the normal-form 
relation is undecidable (5). The undecidability of the equational theory (6) follows 
from (5) because, by the Church-Rosser property (1), the equational theory is 
characterized by the reduction rules. The undecidability of the typing theory (7) 
follows from (5) because computation is required, in general, in order to typecheck 
a term. 


1.4. Overview 


Girard’s paradox. The X*-calculus is not a recent invention: Martin-L6f’s first In- 
tuitionistic Theory of Types [Martin-Ldf 1971] is a higher-order constructive logic 
that is essentially equivalent to the \*-calculus. Martin-Lof wanted a single for- 
malism that would be adequate for the formalization of a substantial portion of 
constructive mathematics, and he believed that the *-calculus, with its type of 
all types, had sufficient expressive power to meet this requirement. Martin-L6f’s 
type theory is based upon a connection between intuitionistic logics and typed 
A-calculi known as the propositions-as-types analogy. Under this analogy, logical 
propositions are written as types, and a proof of a proposition is a \-term of the 
appropriate type. 

[Girard 1972] showed Martin-Lof’s type theory to be inconsistent by refor- 
mulating the Burali-Forti paradox [Burali-Forti 1897] of classical set theory; this 
reformulation has come to be known as Girard’s paradox. The upshot of the para- 
dox is a proof of the absurd proposition, which asserts that every proposition is 
provable. In the \*-calculus, the absurd proposition is written as the type IIA: *.A, 
and Girard’s argument describes how to construct a proof of this proposition, i.e., 
a closed \*-term of this type. It is straightforward to show that no term of this 
type has a normal form, and this implies the failure of strong normalization. 


Looping combinators. The failure of strong normalization does not, however, imply 
the undecidability of normal forms, equations, or typings in the \*-calculus. In 
order to examine the actual non-normalizing term described by Girard’s proof, 
in §3 we follow the paradox to construct a term Z of type I[A:*.A, using an 
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improved formulation adapted from [Coquand 1986] and [Howe 1987]. Being too 
complex to be carried out by hand, the construction is done with the assistance of 
a computer program called LP, which is a typechecking and reduction engine for 
general typed A-calculi. Given the typechecking rules for a particular calculus, LP 
provides a Lisp-like interface that accepts an identifier definition, typechecks the 
definition, and enters it into the global environment for use in later definitions. LP 
and its input language, which is essentially a sugared version of the \*-calculus, 
are described in Appendix A. 

Observation of the reduction behavior of Z shows that certain of its subterms, 
which correspond to formal proofs of lemmas used in the paradox proof, continu- 
ously reappear at the front of Z as it is reduced. We show how to build a polymor- 
phic looping combinator Lo by making minor modifications to the paradox con- 
struction; this term, written in the LP input language, is contained in Appendix B. 
A polymorphic looping combinator L; is a term of type IIA: *.(A + A) > A such 
that, for any type A and function f : A — A, we have 


(LiAf) > f (Lin Af), 


where L,+1 is another looping combinator. Intuitively, a looping combinator is 
“Just as good as” a fixed-point combinator for the purpose of expressing recursive 
computations. Recall that the polymorphic fixed-point combinator Y has the 
reduction behavior 


(YAf)>f(YAf). 


The only difference between a fixed-point combinator Y and a looping combina- 
tor L is that an application of Y reduces to a term involving Y itself, while an 
application of L reduces to a term involving another, possibly different, looping 
combinator. 


Undecidability. One way of showing that the normal-form relation of the A*-calculus 
is undecidable is to show that all partial recursive functions can be defined within it. 
As is well known, any partial recursive function can be expressed in terms of 
the initial functions and the function-forming operations of composition, primitive 
recursion, and minimalization. It would therefore suffice to show that we can 
compute, in the \*-calculus, all functions constructed in this manner. The primitive 
recursion and minimalization operators are typically implemented using a fixed- 
point combinator, but true fixed points are not required; all that is necessary is the 
ability to iterate a function an arbitrary number of times. Looping combinators 
have exactly this ability, so the undecidability result would follow immediately by 
reduction from the halting problem. 
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Unfortunately, as we discuss in §4, we don’t know quite enough about the 
behavior of the constructed looping combinator Le to be able to apply this method. 
However, we can show that all total recursive functions can be computed in the 
*-calculus. A simple complexity-theoretic argument then proves that the normal- 
form relation of the X*-calculus is undecidable, from which it follows that the 
equational and typing theories are undecidable as well. 


2. The \*-calculus 


Terms can appear in type expressions in the \*-calculus, so we cannot first define 
type expressions and then define the set of terms, as is possible for simpler typed 
A-calculi. The syntactic machinery of the \*-calculus is therefore much like that 
of AUTOMATH [Barendregt & Rezus 1983] and the Calculus of Constructions [Co- 
quand 1985b, Coquand & Huet 1988]. We first define the set A* of raw terms and 
a notion of reduction upon them. We then restrict the raw terms to the well-typed 
terms through a proof system for typing statements, which are assertions about 
the type of a term relative to the types of its free variables. Thus the raw terms 
include both the well-typed terms and many other terms that are not well-typed. 


2.1. Raw terms 


Fix a countably infinite set of variables. In what follows, x, y, and z are metavari- 
ables for variables and M and WN are metavariables for terms. Other capital Roman 
letters are occasionally used for terms; in particular, A, B, and C' stand for terms 
intended to be types. The set A* of raw terms is the smallest set defined by the 
following inductive clauses: 


ren every variable is a term 
* € A* ‘x’ is a term 
(MN) e€ A* application 
(Av:A.M)€ AX -abstraction 
(IIz:A.B)€ A* _—_ I-abstraction 


In a raw abstraction it is possible to have occurrences of the bound variable z free 
in the binding type A; for definiteness we say that such occurrences are not bound 
by the binding symbol of the abstraction, but in fact the typing rules will forbid 
such occurrences. 

We adopt the following variable convention: If a set of terms occurs together, 
for example, in a definition, then all bound variables in these terms are distinct 
from each other and from the free variables [Barendregt 1984, Appendix C]. We also 
identify terms modulo the uniform renaming of bound variables (a-conversion); in 
combination with the variable convention, this allows us to work with representa- 
tives of the a-equivalence classes of terms rather than terms themselves. When 
used between terms, ‘=’ denotes syntactic equality modulo a-conversion. 

The set of free variables of M is denoted fv(M), and the substitution of N for 
all free occurrences of x in M is denoted by M[N/z]; both are defined inductively 
on the structure of terms in the usual way. 


The function type expression A — B abbreviates (IIz:A.B), where z does not 
occur free in B. We follow the familiar convention that — associates to the right, 
so that A— B—C abbreviates A > (BC). Application associates to the left 
so that (F M N) abbreviates ((’ M) N). The vector notation (M N) abbreviates 
(M N, N2--- Nx); similarly, \#:A.M abbreviates \71:A1.\791A9.-+ + Avg Ag. M. 


2.2. Reduction 


The one-step reduction relation — is inductively defined as the least relation sat- 
isfying the axiom of 6-contraction, 


(Az:A.M) N > M{N/z] , 
and the inference rules: 


M-+M = MN—M'N 

NoN => MN—=MN' 

M—>M' => (\a:A.M) > (\2:A.M'), (Iz:A.M) > (Iz: A.M’) 
Avz>A =>) (\zr:A.M) > (Ax: A'.M), (Iz:A.M) > (Iz: A'.M) . 


Note that there is no notion of $-contraction for I]-abstractions; this is intentional, 
as I]-abstractions are dissected only by the typing rules. A term M is a normal 
form (nf) iff there is no term N such that M — N. The multi-step reduction 
relation —» is the transitive, reflexive closure of >, and the conversion relation «» 
is the equivalence relation generated by -». If N is a nf and M «» N, we say 
that N is a normal form of M. As expected, the Church-Rosser property holds for 
reduction: 


Lemma 2.1. If M -» M, and M -» Mo, then there exists an N such 
that M, — N and My) > N. 


Proof. See [Martin-Lof 1971]. @ 
We have the usual corollaries, proved by the same methods as for the untyped 


A-calculus [Barendregt 1984, §3.1]. 


Corollary 2.2. M, «» Mo iff there exists an N such that M, -» N and 
My— N. 


Corollary 2.3. Normal forms of given terms are unique, if they exist. 
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The notion of head normal form (hnf) for raw terms, useful in the analysis of 
non-normalizing terms, is adapted from the untyped A-calculus [Barendregt 1984, 
Def. 2.2.11]. A term of A* is a hnf iff it is of one of the following forms: 


Note that 2, He and M may be empty, and y may be free or bound. A term M is 
said to have a hnf iff there exists a hnf N such that M «» N. 


Proposition 2.4. If M = (M, M2) is anf, then M is of the form (Z N), 
where Z is either *, a variable, or a I]-abstraction. 


Proof by induction on the structure of terms, analyzing the structure of My. If 
M, is *, a variable, or a II-abstraction, then Z = M, and N = Mz. M, cannot be 
a A-abstraction since M is a nf. If Mj is an application, then by induction it is of 
the form (Z N) for some appropriate Z, so M = ((Z N) M2). ™ 


Proposition 2.5. If M is anf, then M is a hnf. 


Proof by induction on the structure of terms. The cases for *, variables, and II- 
abstractions are obvious. If M is a A-abstraction, then by induction its body must 
be a hnf, making M itself a hnf. If M = (Mj M2) then, by Proposition 2.4, M is 
a hnf. @ 


2.3. Well-typed terms 


A typing statement consists of a typing and a context. The typing associates a 
term with a type, and is a pair of terms written M : A. The context* records the 
types of the free variables in the typing, and is a sequence of typings of variables 
(e.g., (v:A,y:B,z:C)). The empty context is written (), and the context A with 
the typing x:A appended is written A,z:A. A complete typing statement is written 
At M: A and can be read, ‘under the variable declarations in A, the term M 
has type A.’ 

The proof system for typing statements contains one axiom and seven infer- 
ence rules. Each inference rule consists of a set of antecedent statements and a 
consequent statement, graphically separated by a horizontal line. A typing state- 
ment is provable iff it is the axiom, or iff it is the consequent of an inference rule 


*Sometimes called a type assignment or type environment. 
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whose antecedents are all provable. A term M is said to have type A iff there is 
a context A such that At M : A is provable, and M is said to be well-typed iff 
there is a type A such that M has type A. The proof system is carefully designed 
so that every provable typing statement Al M : A is well-formed, meaning that 
every free variable in A, M, and A is declared in A, no variable is declared more 
than once, and the type of every declared variable is provably of type x. 

The typing rules can be divided into those that manipulate contexts and 
those that construct types. The context manipulation rules make use of empty 
statements, written A +, to indicate that A alone is well-formed. The context 


manipulation rules are: 


‘ context 
(ci) () F initialization 
(«2 x) eee type of all types 

AExix 
AKFA:x context 
(cx) Aya:Ab ’ ¢ A extension 
Ar context 
(cp) Aka:A w:AEA projection 


Note that z:A € A means that the typing z:A occurs in A, and z ¢ A means that 
there is no typing y:A € A such that x = y. The (ci) rule simply says that the 
empty context is well-formed. The (*:*) rule allows the introduction of the type 
of all types. The (cx) rule is used to declare a new variable z of type A after A is 
proved to be a type, and the (cp) rule allows a previously declared variable to be 
projected from the context into a typing. 

The rules for type construction are: 

A,z:At B:x 


Tlf eee 
( ) AE (Iiz:A.B) oe II-formation 


ch) AAC MB a 
AF (Aa:A.M) : (IIv:A.B) -introduction 
AFM: (Ua:A.B), AFN:A aes 
AF (MN): BIN/z] -elimination 
AEM:A, AF B:x ie 
— ARM:BO 3 vee a conversion 
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The first three rules construct the type of a term from the types of its subterms, 
and correspond exactly to the term formation operations of II-abstraction, A- 
abstraction, and application. The first two rules also modify the context, dis- 
charging the newly bound variable z. The final rule (tc) allows the type of a term 
to be replaced with a type to which it converts, establishing the connection between 
computation and the process of constructing the type of a term. 

Notice that each group of rules depends upon the other. The antecedent of the 
(cx) rule is a typing statement that can be proved by any of the type construction 
rules, as well as by the (cp) rule. The antecedents of the type construction rules 
are typing statements that can be proved by the (cp) rule, as well as by the other 
type construction rules. In general, the proof of a typing statement requires the 
mixed use of both kinds of rules. 


2.4. Properties of provable typing statements 


The notation A | ¢ stands for an arbitrary statement; y is either a typing, in 
the case of a typing statement, or y is empty, in the case of an empty statement. 
If yp = M : A, then fv(y) = fv(M) U fv(A); otherwise, fv(p) = ©. Unless 
otherwise noted, the proofs in this subsection proceed by induction on the definition 
of statement provability. 


Well-formedness. Although contexts are sequences of typings rather than sets of 
typings or functions from variables to terms, the proof system is designed so that 
a context in a provable statement will never contain more than one typing for any 
variable. 


Lemma 2.6. If AF ¢ is provable then, for every z:A € A, there is no 
other z:B € A for any B. 


Thus we can conveniently think of contexts as partial functions from variables to 
their declared types; i.e., A(z) = A iff :AE A. 

An important property of the proof system is that in a provable statement 
AF 9, the type of any free variable in y or of any declared variable in A is guar- 
anteed to contain only previously declared variables that are themselves declared 
in A. Certain nonsensical situations can arise if this property does not hold; e.g., 
a variable can have a type containing itself or an undeclared variable. Because 
contexts are sequences, they record the history of the declarations that they con- 
tain. Relative to a variable x, the previously declared variables in a context A—i.e., 


those comprising the context in which z was declared—are just those variables that 
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precede x in A. Let A*® denote the proper prefix of A preceding #:A if :A € A. 
Then we have 


Lemma 2.7. If A ¢ is provable, then fv(y) C domA and, for each 
z € domA, we have that fv(A(z)) € dom A’. 


These two lemmas are equivalent to the “variable restrictions” of [Martin-Léf 1971]. 

Finally, we verify that each term associated with a declared variable x in a 
provable statement is actually a type, i.e., provably of type * in the context in 
which z was declared. 


Lemma 2.8. If AF y is provable, then A” | A(z) : * is provable for 
each x € domA. 


The type of all types. The type of all types, x, is the type of every type, including 
itself. In the \*-calculus, a type is any term appearing on the right-hand side of a 
colon in a provable typing statement. Therefore any such term should be provably 
of type * in the same context. 


Lemma 2.9. If At M : A is provable, then AF A: is provable. 


Reduction and typing. The following lemmas, or stronger versions of them, are 
proved in [Martin-Léf 1971]; essentially the same proofs work for the *-calculus. 


Lemma 2.10 (Replacement). If A,z:At M: Band At N: A are 
provable, then At M[N/z]: B[N/z] is provable. 


Lemma 2.11 (Type Preservation). If Ab M: A is provable and M -» 
N, then AF N: A is provable. 


Type preservation is sometimes called subject reduction, but we prefer to reserve 
that name for its original meaning as a similar property of untyped A-terms [Curry 
& Feys 1958, Hindley & Seldin 1986]. 


Lemma 2.12 (Unique Typing). If At M:Aand At M: B are 
provable, then A «» B. 


Static typing. Let any type convertible to the form IIz:A.* be called a x-type. A 
term with a *-type A is either a type, if A = x, or a function returning a type, 
i.e, a type generator. If AF M: A and A is not a *-type, then the erasure of M, 
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written |M|, is defined inductively as follows: 


ee 
_ f (My if At N:A and A is a x-type, 
Cen tae |N|) otherwise. 
_ f |M| if A is a *-type, 
ees { (Az.|M|) otherwise. 


The erasure map removes all type information from a given term, including both 
types and type generators, yielding a term of the untyped A-calculus. (This defini- 
tion is adapted from the definition of stripping given in [Coquand & Huet 1988].) 


Lemma 2.13 (Static Typing). If At M : Ais provable and A is not a 
x-type, then M -» N iff |M| —» |N|. 


In other words, the reduction path of a well-typed term coincides with the reduction 
path of its erasure. Therefore it is not necessary to consider any of the type 
information in a term when performing the computation that it describes. 


Non-normalizing terms. It seems to be well known that in the *-calculus, and 
in other A-calculi with type abstraction, no term of type IIA:*.A has a nf; for 
completeness we prove this fact here. It suffices to show that no term of type 
IIA:*.A is a nf, from which it follows by Lemma 2.11 that no such term has a nf. 


Lemma 2.14. If () | M: (ILA:*.A) is provable, then M is not a nf. 


Proof. We show that M is not a hnf; by contraposition from Proposition 2.5, this 
implies that M is not a nf. 

Suppose that M is a hnf; we shall analyze its structure and see that it cannot 
possibly have the required type. M cannot be * because x is not of type ILA:*.A 
(the type of * is *, and * «/» JIA:*.A, since both are nfs). By Lemma 2.7, M 
must be closed, therefore it cannot be a variable. M cannot be a I]-abstraction 
because any well-typed H-abstraction has type x. 

If M is an application then, being a hnf, it must be of the form (Z N), where 
Z is either x, a Il-abstraction, or a variable. The first two cases are impossible 
because such terms can never have II-types, and therefore could not be used as 
operators in the (Ile) rule. Since M is closed, Z cannot be a variable. 

If M is a d-abstraction, say AA:*.N, then by (Ili) it must be that (A:*) F 
N : Ais provable. Again, N cannot be x since « is not of type A. If N is a variable 
then, by Lemma 2.7, it must be A, but A is not of type A. N cannot be a d- 
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or II-abstraction because neither could be of type A. If N is an application then 
the analysis of the previous paragraph applies, except that Z cannot be a variable 
because the only declared variable is A, which does not have a Il-type. ™ 


2.5. Some constructions 

We now define some of the constructs mentioned in §1, all of which are given 

in [Martin-Lof 1971]. Named *-combinators will be defined in the following format: 
(fab)=M. 


This is shorthand for f = Xa:A.\b:B.M for appropriate types A and B that can 
be inferred from the context. 


Pairs. An element of a pair, or product, type A x B contains an element of type A 
and an element of type B. A pair type has an injection operation to create pairs 
of that type from elements of the component types, and two projection operations, 
one for each component. 


Ax B=IX:*.(A>~ BA3X)3 X 


(pair A B) = da: A.O:B.AX:* Af (A> BA X).f ab 
: A> B-(Ax B) 
(left A B) = X2z:(A x B).z A (Aa: A.X0:B.a) 
: (Ax B)OA 
(right A B) = Xz:(A x B).z B (Aa:A.Xb:B.b) 
: (Ax B)-B 


This is essentially a typed version of the pairing combinator of the untyped \- 
calculus. For a: A and b: B, the following pairing axioms are easily verified: 


(left AB (pair A Bab))=a 
(right A B (pair ABab))=6b 


This definition easily generalizes to tuples of arbitrary length [Reynolds 1985]. 


Unions. An element of a union, or sum, type A+ B contains either an element 
of A or an element of B, together with an indication of which kind of element 


it contains. A union type has one injection operation for each of the component 
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types, and a projection operation that allows the element within a union to be 
accessed in a type-safe way. 


A+ B2I1X:«*.(A- X) (BH X)- X 


(inleft A B) = \a:A.AX:% Af: A X.Ag:B > X. fia 
: A=(A+B) 


(inright A B) = 0:B.1X:* A\f:A— X.Ag:B — X.ga 
: Ba(A+B) 


(case AB) = XX:% Af: A> X.Ag:B > X.Az(A+ B).z X fg 
: DX:*.(A- X)4(BAX)73 (A+ B)>X 


Fora: A,b: B,atype X, and functions f : A> X and g: B-+X, these definitions 
satisfy the following union axioms: 


(case AB X fg (inleff ABa))=fa 
(case AB X f g(inright ABb)) =gb 


As with pairs, it is straightforward to generalize this definition to the union of an 
arbitrary number of types [Reynolds 1985]. 


Dependent pairs. A dependent pair type, also called a general sum or an existential 
type, is to an ordinary pair type as a dependent function type is to a simple function 
type. A dependent pair type is written Lz:A.B, with the © binding z in B. An 
element of {z:A.B can be thought of as a pair consisting of an element a: A and 
an element of type B[a/z]; the type of the second element depends upon the value 
of the first. When treating dependent pairs as a defined notion, © cannot be used 
as a binding operator; instead, it is a function that maps a type A and a function 
B of type A — x into a type: 


(LA B)=ILX:«.(Ma:A.(Ba) 3 X)3X. 
The injection operation for dependent pairs is defined by the combinator 


(dpair A B) = da:A.Xb:(B a).\X:*.Af:(a:A.(B a) 3 X).f ab 
: Ta:A(Ba)->(S AB), 


which is much like the injection for pairing except that the type of b has been made 
dependent upon a. 
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The left element of a dependent pair, called the witness, can be extracted via 
(wit A B) = As:(¥ A B).s A (Aa: A.Xb:(B a).a) 
: (ZAB)-A, 
and it is straightforward to verify that 
(wit A B(dpair A Bab))=a 


fora: A and 6: (Ba). 
The dependent pairs definable in the \*-calculus have no right-hand projection 
operation. One might try defining 


(dright A B) = \s:(% A B).s (B (wit A B s)) (Aa:A.A0:(B a).b) 
: Is:(2 A B).B(wit ABs), 
but dright does not have the indicated type; in fact, dright has no type in the 
M-calculus. Attempting to typecheck the body of dright, under the declarations 
A:x, B:A—x, and s:(© AB), we have 
s(wit ABs): (Ila:A.(Ba) > (wit AB s)) > (wit ABs) , 
(Aa:A.\b:(B a).b) : (Ma:A.(Ba) > (Ba)) ; 
the body of dright is the application of the first. term above to the second, and this 
application is not well-typed. 
Although there is no right-hand projection for dependent pairs, the right-hand 


element can be indirectly accessed via the out operation, 
(out A B) = Asi(Z A B).AX:* .Af:(a:A.(Ba)— X).s X f 
: (2 AB) OILX: *.(Ma:A.(Ba) > X) 9 X , 
which obeys the axiom 
(out A B(dpair A Bab) X f)=(f ab) 


fora: A, b:(Ba),a type X, and a function f : Ila:A.(Ba)— X. 

We shall make extensive use of dependent pairs in the construction of Girard’s 
paradox. A generalization of dependent pairs to dependent tuples, i.e., elements 
of type Dz:A.B, is described in §A. 

The above definitions of ©, dpair, wit, and out can be used without change in 
the Calculus of Constructions [Coquand & Huet 1988], but the typing constraints 
of that system do not allow the witness of a dependent pair to be a type. A weaker 
form of dependent pair, which is definable in both calculi, allows the witness to be 
a type but lacks a witness operator. 
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2.6. Related systems 


The *-calculus is a rather special-purpose system, having been adapted from [Mar- 
tin-Lof 1971] specifically for the investigation of dependent function types and the 
type of all types. In [Meyer & Reinhold 1986] we discussed a more flexible system, 
the A"-calculus, that was designed for the general study of dependent function 
types, both with and without the type of all types. For example, we considered an 
extension of the !-calculus that would subsume the polymorphic A-calculus while 
preserving the properties lost when the type of all types is added. The design of 
the calculus has been an ongoing project, evolving according to the needs of 
our research, and we do not wish to address here the complex issues involved in 
designing a truly general A-calculus with dependent types. Another advantage of 
the simplicity of the \*-calculus is that our results can be carried over to other 
systems by showing that they are conservative extensions of the \*-calculus. This 
is a straightforward task in many cases; it would not be as easy if the \*-calculus 
were more general. 

The X*-calculus and the !-calculus differ in two ways. First, the context ma- 
nipulation rules of the \!-calculus are much like the thinning rules of Gentzen’s 
sequent calculus [Kleene 1950]; there is no rule for context projection. We orig- 
inally thought that this method was superior to the style of the \*-calculus, as 
it does not require special empty statements to assert the well-formedness of a 
context. However, further experience with the proof theory of the \"-calculus and 
similar systems [Barendregt & Rezus 1983, Coquand 1985b] convinced us other- 
wise. The second difference is that the \!-calculus uses typed equations between 
A-terms rather than the untyped reduction used in the \*-calculus. This choice 
complicates the definition of the proof system for typing statements, since it must 
also contain inference rules for typed equations; the inference rules for contexts, 
typings, and equations are all interdependent and the system as a whole is more 
difficult to reason about. There are other situations in which typed equations are 
more appropriate (e.g., in the study of conservative extensions of algebraic theo- 
ries by typed A-calculi [Breazu-Tannen & Meyer 1987]), but for our purposes the 
simpler calculus suffices. 
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3. Looping with Girard’s paradox 
3.1. The \*-calculus as a logic 


[Martin-L6f 1971] defines an intuitionistic type theory, i.e., a higher-order construc- 
tive logic, that is essentially equivalent to the *-calculus. Central to this theory 
is the propositions-as-types analogy, which establishes a connection between intu- 
itionistic logics and typed A-calculi. Also known as the ‘formulae-as-types analogy’ 
and the ‘Curry-Howard isomorphism,’ the analogy was first discovered for the case 
of positive implicational propositional logic by [Curry & Feys 1958] and extended 
to first- and second-order intuitionistic logic by [Howard 1969] and [Girard 1972]. 
Martin-Léf’s type theory is based upon a particularly close reading of the anal- 
ogy, which we briefly review here. More general and complete presentations of the 
analogy can be found in [Stenlund 1972] and in [Huet 1986]. 

An intuitionistic type theory is a formal system for doing constructive rea- 
soning about constructible objects. By ‘constructible objects’ we mean effectively 
constructible objects, including effectively computable functions. As we have seen, 
a rich class of computable functions can be defined in the \*-calculus, and other 
constructible objects, such as pairs and unions, can be built up from functions. 
These functions and objects, classified by their types, make up the universe of 
discourse of Martin-L6f’s type theory. 

In constructive reasoning, each logical connective is interpreted as a specifi- 
cation of a class of constructible objects. A proposition is proved by exhibiting an 
object in the class that it describes, so proofs themselves are constructible objects. 
It turns out that the relationship between a proof and the proposition that it proves 
is very much like the relationship between an object and its type, as shown in the 
table below. 


Proposition Proof Type 
PAQ A proof of P, and a proof of Q. PxQ 
PVQ A proof of P, or a proof of Q, and an P+Q 


indication of which is proved. 


P=Q An effective method for transforming PAQ 
a proof of P into a proof of Q. 


VerAcP An effective method that, given any a Ilz:A.P 
of type A, produces a proof of P[a/z]. 


4z:A.P A particular a of type A, and a proof “a:A.P 
of Pla/z]. 
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This correspondence justifies the key idea of Martin-L6f’s type theory: Propositions 
and types are identified, as are proofs and objects. Paraphrasing Martin-Lof, a 
proposition is the type of its proofs; conversely, a type is the proposition that is 
proved by exhibiting an object of that type. When using the \*-calculus as a type 
theory, we construct objects, which have types, and we prove propositions about 
them by constructing other objects, whose types are the propositions (according 
to the above correspondence) being proved. 

The type of all types plays a central role in Martin-L6f’s type theory. Since 
types and propositions are identified, * is not only the type of all types, but also the 
type of all propositions.* A predicate is a parameterized proposition, so a predicate 
on a type A is just a function on A returning a proposition, i.e., a function of type 
A—>»x. Relations are obtained by Currying; e.g., A— A—* is the type of a binary 
relation on the type A. Higher-order predicates, i.e., predicates on predicates, 
can also be defined; e.g., a predicate on predicates on a type A is a function of 
type (A —*)— x. Higher-order quantification is expressible because the type of 
a quantifier-bound variable can be any term of type *, including * as well as the 
type of any predicate. Thus the absurd proposition VP.P translates directly into 
1 =IUP:x.P; the negation of a proposition P is written nP = P— 1. 


3.2. The paradox 


The informal construction of Girard’s paradox given here is intended to serve as 
a guide to the full formal construction, given in §B. We give the essential formal 
definitions in this section and prove the required lemmas informally; a lemma 
numbered n.m in this section corresponds to lemma m in the full construction. 
To aid in the reading of the formal construction, we consistently use the outer 
parenthesization convention of A-calculus, e.g., (f z), rather than the traditional 
mathematical notation, e.g., f(x). 

The essence of the paradox is this: In a type theory with quantification over all 
types, we can construct the set of well-founded sets. We can then define an ordering 
on well-founded sets and show that, under this ordering, the set of well-founded 
sets is a well-founded set that precedes itself—a contradiction. 

An ordered set A will be represented by a type A, a domain predicate dy, : 
A— >», and a (strict) ordering relation rg: A— A—-*. An element a: A is in 
the ordered set A iff (d4 a) holds. A will often be written in place of the three 
elements A, d,, and rg that represent A. We stress that this is a strictly visual 
device; in a term, A stands not for one term constructed from these three elements 


*Moreover, since x is itself a type, « is also a proposition. As a proposition, * is provable because 
there is a term, namely x, of type *, so * is a propositional constant that proves itself (!). 
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but exactly for ‘Ad, r4’. B is another ordered set represented by B, dg, and rg, 
and similarly for other calligraphic capital letters. 
An ordered set A is transitive iff its ordering relation is transitive: 


(Trans A) = IIa, y,2:A(razy) > (ray z) (rg uz). 


A predicate C : A—* on the elements of an ordered set A is a chain iff there 
is a base element z : A such that z is in A and z satisfies C, and, for every t: A 
satisfying C, there is a y: A satisfying C that is smaller than z: 


(Chain AC) = [u2:A.(d4 z)x(C z)] x [M2:A.(C rz) by:A.(Cy) x (ray x)| : 


An ordered set is well-founded iff no chains exist within it, i.e., iff the existence of 
a chain implies absurdity: 


(WF A) =IIC:A>x.(Chain AC) > 1 


An ordered set A is embedded into an ordered set B by a function f: A> B 
and a bound element 6: B iff b is in the domain of B, f is domain-preserving and 
monotonic, and the range of f is dominated by 5: 


(Embed A B f b) = (dg b) 
x [Ix:A.(d4 x) — (dg (f z))] 
x [Ix, y:A.(d4 x) > (day) > (ra cy) > (ra (Ff 2) (Ff y))] 
x (Iz: A.( (dy, 2x) — (rp (f x) b)] : 


The ordering on ordered sets is defined in terms of embedding: A is less than B iff 
there exists a function f and an element 6 such that f and 6 embed A into B. 


(Embed-ord AB) = Xf:A—> B.Ub:B. Embed AB f b. 


We abbreviate (Embed AB f 6) by A < sy B, and (Embed-ord AB) by A< B. 
Two elements z and y of a type A are intensionally equal iff every predicate 


true of z is true of y: 
(EgAzy) =VIP:(A—>x).(P 2) (Py). 


It is easy to show that intensional equality is reflexive, symmetric, and transitive. 
We shall abbreviate (Eq Az y) by x = y when A is obvious. 

To represent the ordered set of well-founded sets, we need a type U of ordered 
sets, a domain predicate dy : U + that is true only of the well-founded sets, and 
an ordering relation ry : U — U — x defined in terms of embeddings. Defining 
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U presents some difficulties, as we must somehow merge the three components A, 
da, and rg representing an ordered set A into a single element of type U. It is 
tempting to use dependent pair types, but these cannot be made to work due to 
the lack of a right-hand projection. The solution is to arrange that the injection of 
a particular ordered set A into U is a predicate true of precisely those predicates 
true of A. Thus, defining OS-pred as the type of predicates on ordered sets, 


OS-pred = IIA: *.(A + *) 4 (A> A> x) > x, 
we have U = OS-pred — x, and the injection inj is simply 
(inj A) = XS:0S-pred.S A . 


If the injections of two ordered sets are intensionally equal, then any property true 
of the first is true of the second. 


Lemma 3.1. If (inj A) = (inj B) and (P A), then (P B). 


Proof. Apply the proof of (inj A) = (inj B) to (Au:U.u P) and the proof of (P A). ™ 
The domain predicate on U is defined 


(dy u) = SA: *.Udyg:A>*.Urg: A AS. 
(Eq U u (inj A)) x (Trans A) x (WF A) , 


and the ordering relation on U is defined 


(ry uv) = UA:*.Ddy:A > *.Urg:Aa AS. 
UB: «dg: B—-*.Urg:B—- Box. 
(Eq U u (inj A)) x (Eq U v (inj B)) 
x (Embed-ord AB) . 
We shall write Y/ for the ordered set represented by U, dy, and ry. 
We now prove the lemmas necessary to show that U is a well-founded set. 


Most lemmas are stated informally, in which case a more formal version of the 
same statement follows in square brackets. 


Lemma 3.2. Any ordered set in U/ is transitive and well-founded. 


[If (dy(inj A)) then (Trans A) and (WF A),.] 
Proof. Follows from Lemma 3.1 and the symmetry of intensional equality. ll 


Lemma 3.3. If A < B and B <,,.5,. C, then there exist fac and byc 
such that A <fyoayc C and (re bac bc). 
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Proof. Suppose that f4g and b4g embed A into B. Let fac = fac o fs, and let 
bac = (fac bag). It is straightforward to check that the required properties hold. ™ 


Corollary 3.4. The relation < is transitive. 


[If A< Band B<C, then A<C,] 


The formal proofs of the remaining lemmas require uses of Lemma 3.1 and the 
properties of intensional equality; these will not be mentioned in the informal 
proofs given here. 


Lemma 3.5. U is transitive. [( Trans U).] 
Proof. Follows immediately from Corollary 3.4. 
Lemma 3.6. U is well-founded. |( WF U).] 


Proof by contradiction. Suppose that C' is a chain in U. The base of C is an 
ordered set, say Z, that satisfies dy. By Lemma 3.2, Z is well-founded; we shall 
contradict this fact by using C' to construct a chain D in Z. Define D to be the 
predicate 


D=dDGZXY:« Xdy:¥Y 3 * Ury:Y 2 Y oe .Uf:y — Z. 
(C (inj Y)) x (Embed Y Z fa). 


To prove that D is a chain in Z, we must show that D has a base element ap : Z 
such that (dz ag), and that every element of Z in D has a predecessor in D. 

Let W be a predecessor of Z in C’. Taking ao to be the bound on the embed- 
ding from W to Z, we immediately see that (dz ag) and that ao is in D. 

If a: Z is in D, then there exists an ordered set Y and a function f: Y > Z 
such that Y isin C and ) <;, Z. Furthermore, there must exist an 4 in C such 
that Y < Y since Y is in C. By Lemma 3.3, we have an f!: X > Z and a’: Z 
such that Y < rq Z. The predecessor of a in D is a’. ™ 

By Lemma 3.5 and Lemma 3.6, U is a transitive, well-founded set, hence U is 
in U, i.e., (dy (inj U)). 

Next we show that, under the embedding ordering, any ordered set in U is 
less than YU. Given an ordered set A and an element a: A, the initial segment 
of A relative to a is the ordered set Ag represented by the type A, the ordering 
relation r4, and the new domain predicate 


(da, ©) = (daz) x (raza). 


Lemma 3.7. Any initial segment of an ordered set in U is itself in U. 
[If (dy(inj A)) and (da) for some a: A, then (dy (inj Aa)).| 
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Proof. Let A be in U, and let a: A be such that (d4 a). The initial segment A, 
is transitive because A is transitive; similarly, any chain in Ag is clearly a chain 
in A. Hence Ag is transitive and well-founded. ™ 


Lemma 3.8. A < U for any ordered set A in U. 
[If (dy (inj A)), then A <U.] 


Proof. Let A be in U, and let f : AU be the function mapping an element a: A 
to the ordered set Ag. Then f embeds A into UY with the embedding bound being 
A itself. A satisfies dy by hypothesis, and f is domain-preserving by Lemma 3.7. 
Let zx and y be elements of A such that (r4 x y); the identity function embeds 
A, into A, with bound z, so f is monotonic. Similarly, for any element z of A, 
the identity function embeds A, into A with bound z, hence the range of f is 
dominated by A. # 

By Lemma 3.5, Lemma 3.6, and Lemma 3.8, we have that U < U, and thus 
(ry (inj U) (inj U)). The predicate 


Au:U.(u = (inj U)) 


describes a chain in YU: The base of the chain is (inj WU), and the predecessor of 
(inj U) is just (inj U). The existence of this chain contradicts Lemma 3.6, and 
leads to a proof of L in the formal construction. 


3.3. Building a looping combinator 


Let Z denote the proof of L obtained by constructing the formal proof of Girard’s 
paradox; i.e, Z : (ILA:*.A). By Lemma 2.14, Z has no normal form, and hence 
the \*-calculus is not strongly normalizing. Reducing Z, we find that the following 
pattern emerges: 


Z = (lemma6 Cc) -» (lemma2b -- -) 
—» (lemmaé ---) 


—» (lemma2b ---) +++ , 


where lemma6 is the formal proof of Lemma 3.6 and lemma2b is the formal proof 
of the second consequence of Lemma 3.2. To convert Z into a looping combinator, 
and thus harness this repetitive pattern, we make the following minor changes to 
the paradox construction. First, the absurd type | is replaced by the type of 
polymorphic looping combinators, namely 


Loop =IIA:*. (A> A) >A, 
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in the definition of WF and in the formal proof of Lemma 3.7. With the redefinition 
of WF, Lemma 3.6 becomes 


NC:U — x .(ChainU C) — Loop ; 


the formal proof lemmaé of Lemma 3.6 must be changed so that, given a chain C' in 
U and a proof that C is a chain, it returns a looping combinator. The redefinition 
of WF further implies that lemma2b, which is used in the body of Lemma 3.6, 
will also return a looping combinator. We thus modify lemmaé to take two more 
arguments, a type A and a function f : A— A, and we change the body of lemma6 
to supply A and f as additional arguments to the proof of Lemma 3.2 and to 
apply f to the result of that application. In symbols, 


lemma6 = ACU — *.dc:(ChainU). 
-++(lemma2b ---) 


is transformed into 


lemma6 = XC:U > x.Ac:(ChainU).AA:* Af: A > A. 
+--+ f ((lemmagb ---) Af). 


Making these changes to Z yields an initial looping combinator Lo, which is called 
loop in §B. Reduction of Lo reveals the pattern 


(Lo A f) -» (lemma6 C cA f) 
—» f ((lemma2b ---) A f) 
~—» f (lemma6 --- Af) 
» f (f ((lemmagd ---) A f)) »---, 


which is exactly the behavior required of a looping combinator. 

We have very convincing evidence that this cyclic pattern continues forever, 
i.e., that Lo is a true looping combinator. After 970,000 reductions of Lo by the 
LP program, we obtain the combinator 


Leg = AA: * .AS:A — A.fo*(L7o Af) , 


which iterates the given function f at least 69 times. Up to this point, the number 
of reductions involved is exponential in the number of iterations obtained. (We 
were forced to stop after 970,000 reductions due to virtual memory limitations.) 
This empirical analysis of Lo is quite persuasive, but it does not constitute a 
proof that Lo is in fact a looping combinator. [Howe 1987] carried out a similar 
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construction of Girard’s paradox with the assistance of the NUPRL proof develop- 
ment system [Constable 1986]. Howe applied the looping combinator construction 
method described above [Reinhold 1986], and proved that the resulting term is a 
true looping combinator by reasoning about its reduction behavior. More recently, 
{Coquand 1987] has proposed an argument that any term of type 1 must behave in 
a regenerative manner similar to that of Z, and that it will do so forever. Assum- 
ing that this argument can be made rigorous, the correctness of our construction 
method follows. 


Theorem 3.9. Lo is a looping combinator. 
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4. Undecidability 


We now prove that the existence of looping combinators in the \*-calculus im- 
plies that the normal-form relation of the *-calculus is undecidable, from which it 
follows that its equational and typing theories are undecidable as well. 

As our undecidability proof is somewhat novel, we wish to make it generally 
applicable. Therefore, we first prove the result for abstract reduction systems, of 
which all typed A-calculi are instances. We show that if a reduction system is rich 
enough to compute all total recursive functions, then the normal-form relation of 
the system is undecidable. We then show that a particular reduction system, a 
typed A-calculus with integers and looping combinators (the M--calculus), satisfies 
these requirements. Finally, we introduce a notion of embedding between reduc- 
tion systems and prove that embeddings preserve the computability of classes of 
functions; by showing how to embed " into \*, we obtain the undecidability result 
for the \*-calculus. 

Henceforth, the term ‘recursive function’ will mean total recursive function. 


4.1. Reduction systems 


A reduction system is a three-tuple (R,—R,-R) consisting of a set R of terms, 
a binary reduction relation >r C Rx R, and a binary application operation 
-RERxR-R. The reflexive, transitive closure of +, is written -» gz. We shall 
write -p as though it were left-associative, and sans subscript when it is possible 
to do so unambiguously. A reduction system will often be specified by mentioning 
only its set of terms. 

A term M of a reduction system R is a normal form iff there is no N € R 
such that M RN. 


The normal-form relation NF(R) of a reduction system R is defined as 
NF(R) = {(M,N) € Rx R|M-» Nand N anf} ; 


i.e., the set of pairs of terms such that the first reduces to the second, and the 
second is a normal form. 

A reduction system with numerals is a four-tuple (R, +R,-r, nump) such that 
(R,— Rr,-+Rr) is a reduction system and numa is a recursive bijection mapping inte- 
gers to normal forms of R; the range of num, is the set of numerals of R. The fact 
that num p is a bijection implies that the numerals are distinct, that every numeral 
is associated with a unique integer, and vice-versa. For an integer n, nump(n) will 
be written as _n,p, dropping the subscript when the context determines R. 


28 §4 


4.2. Undecidability in reduction systems 


We must first precisely define what it means for a recursive function to be com- 
putable in a reduction system. We say that a total numeric function y € NF 3N 
for some k > 0 is numeralwise representable [Kleene 1950] in a reduction system 
with numerals R if there is a term F € R such that 


Pls Ne <6 he) =m —= Pe Nig? Nay ase ES Py I: (1) 


This definition is quite general in that it does not specify whether the R-terms 
have types nor whether they are open or closed. If we define 7 = n1,n2,...,n4 for 
integers nj (1 <i < k), define F’- M=F-M,-M)....- M,, for terms F and M; 
(1 <i<k), and extend the numeral notation _ , to work on vectors in the obvious 
way, then (1) becomes 


y(t) =m =— F. LM mM, - (2) 


The forward direction of (2) is often called definability [Barendregt 1984, 
p. 135]. Given a reduction system FR and a recursive function ¢, finding an FE R 
that defines y is usually straightforward. But the fact that F' defines y does not 
imply that F' completely characterizes y; if F defines y but does not numeralwise 
represent it (i.e., the reverse direction of (2) does not hold), then it is possible that 
F .7,— 2, for some z # m. 

One way to prove that such an F’ numeralwise represents is to show that the 
Church-Rosser property holds for R. However, a weaker condition suffices. Define 
the unique answer condition for a term F as 


is La (M14, F. Nn, > m2, = my, = m2. 
Then we have: 


Lemma 4.1. Let y € N* 3N be defined by a term F in a reduction 
system with numerals. The unique answer condition holds for F iff F 
numeralwise represents y. 


Proof. Straightforward. @ 

While the Church-Rosser property applies to an entire reduction system, the 
unique answer condition applies only to the particular terms used to define par- 
ticular functions. Of course, if the Church-Rosser property holds for a reduction 
system #, then the unique answer condition holds for all terms in R. 
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At the end of this section, we shall prove that the recursive functions are 
numeralwise representable in the \*-calculus. Once this is established, we have the 
undecidability result via the following: 


Theorem 4.2. If the recursive functions are numeralwise representable 
in a reduction system R, then NF(#) is undecidable. 


Proof. Every decidable set has a recursive characteristic function and, by nu- 
meralwise representability, the graph of any such function is recursive in NF(R). 
Therefore every decidable set is recursive in NF(R). Now suppose that NF(R) is 
decidable. Then there is a recursive function T € N-—+N such that every de- 
cidable set is in TIME(T), the class of sets of deterministic time complexity T’. 
But this contradicts the time hierarchy theorem of complexity theory {[Hopcroft & 
Ullman 1979], so NF(R) must be undecidable. ™ 


Representing partial functions. Why not prove the undecidability result by show- 
ing that the partial recursive functions are numeralwise representable in the X*- 
calculus? To begin with, the previous definition of numeralwise representability is 
not adequate for partial functions. If a partial recursive function y is undefined at 
some argument vector 7, to what shall the representing term F' reduce when ap- 
plied to ,7,? We think of a \-term as having computed some value when it reduces 
to a normal form, so it is natural to propose that undefined values be represented 
by terms with no normal form.* ; 

If we accept this proposal, then we must ensure that F'- 7%, has no normal 
form when (7) is undefined. Recall that in the *-calculus, as in many reduction 
systems, there is more than one way to go about reducing a term; i.e., there are 
multiple reduction strategies. In particular, there is more than one way to proceed 
from F’- ,7#,. Hence, we must ensure that no reduction strategy allows F'- 7, to 
reach a normal form when y(7) is undefined. 

The minimalization operation is the only possible source of divergence in a 
partial recursive function expressed in terms of the initial functions and the stan- 
dard function-forming operations, and the only known way of implementing min- 
imalization in the \*-calculus is with a looping combinator. Therefore, to ensure 
that minimalization diverges when appropriate, we must ensure that the looping 
combinator itself, in any context, cannot reach a normal form under any reduc- 
tion strategy. The known results about looping combinators in the A*-calculus 


*Church made this identification early in the development of the untyped A-calculus; Barendregt 
and Wadsworth later suggested that undefined values be represented by terms with no head 
normal form (the so-called unsolvable terms) [Barendregt 1984, §2.2]. 
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only assert the existence of a single non-normalizing reduction path. If some un- 
tried strategy allows the looping combinator to reach a normal form, then a term 
representing a partial recursive function y might have a normal form where ¢ is 


undefined. 


4.3. The \¥-calculus 


The typed A-calculus with integers and looping combinators, the M--calculus, is an 
instance of the finitely-typed \-calculus [Barendregt 1984, Appendix A]. Rather 
than use the traditional syntax, we prefer to use the syntax of \-terms given in §2. 
The only significant difference is that the type of a variable is not part of its name 
in our syntax; the type of a variable is given where it is bound, or by the context 
in the case of free variables. 

The A¥-calculus has a single base type N, representing the natural numbers, 
and the following typed constants for integer arithmetic: 


O:N zero constant 
s:NO~N successor 
c:N-~N-N-N conditional 
p:N-N predecessor 


The numerals of \" are formed from 0 and s. For any terms M and N, define 
(M° N) = N and (M*+1 N) = (M (M'N)); then ,2,, = (s' 0). Each numeral 
is a normal form simply because none of the 6-reduction rules for the arithmetic 
constants, defined below, are applicable to numerals. 


JL & 
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(p(s'0)) 4 (s 10) (21) 


The final line above is actually a reduction rule scheme, used here because the 
simpler rule 


(p(sz)) >p 2 
expresses a stronger condition than is necessary. In particular, this rule is not 
satisfied by the predecessor combinator to be defined in the *-calculus, which 
must mimic p in order to embed A” into *. The *-combinator, adapted from the 


polymorphic A-calculus, can compute the predecessor of a numeral, but it cannot 
compute the predecessor of (s x) when z is a variable. 
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The X"-calculus also has a countably infinite set of looping combinators. There 


is an initial looping combinator 
Lo: (N-~N)ON 


and, for every looping combinator Lj, there is a successor looping combinator Lj+1 
of the same type such that (L; F’) >, F (Li41 F). 


From the remarks made above, we have: 

Lemma 4.3. The \¥-calculus is a reduction system with numerals. 
We shall also need: 

Lemma 4.4. Reduction in the \¥-calculus is Church-Rosser. 


Proof. Follows immediately from [Barendregt 1984, Theorem 15.3.3]. ™ 


4.4. Representing recursive functions in the \"-calculus 


Closely following [Barendregt 1984, §6.4], we show that the functions that are 
numeralwise representable in AY include the recursive functions. For k > 1, define 


NF 5N2N3N-—..-45N ON. 
eee 
k 


The type N* 4 N will be the type of a term representing a k-ary numeric func- 
tion; rather than introducing cartesian product (tuple) types, the k arguments are 
“Curried.” 

Say that a total function y € N* +N is ¥-representable iff it is numeralwise 
representable by a closed term of type N* + N when the \"-calculus is viewed 
as a reduction system with numerals. The condition that F’ be closed and of the 
appropriate type is necessary because \" is a typed calculus and we shall construct 
new representing terms by applying and abstracting over previously constructed 
representing terms. 

In each of the propositions leading up to the main lemma, all of the real work 
involves proving that some recursive function is definable in XY. That the function 
is also representable in \" follows immediately by Lemma 4.4 and Lemma 4.1. 


Proposition 4.5. The initial functions are \¥-representable. 
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Proof. For the successor function and the zero constant, simply use the successor 
and zero constants of A®. For 0 <i < k, the i" projection function on k-tuples is 
represented by the term 


nF = \ag:N.Ag:N.--+.Arp:N.a; . (1) 
If we define 
\MZ:IN*.M = \xy:N.Ara:N.- ++. AzgiN.M , 
then (1) becomes 


at = AF:N*. 2; : 


Proposition 4.6. The \¥-representable functions are closed under 
composition. 


Proof. Let ¢ € N' 5N be defined by 


p(t) = x(i(%), alm), .-., bet) - 


Assume that the k-argument function x is represented by a term G : N* +N, and 
that the l-argument functions 71, W2,...%,% are represented by Hi, Ho,..., Hy of 
type N! +N. Then y is represented by the term 


\E:N*.G (Hy @) (Ho #)---(Hy, Z). 


Proposition 4.7. The \¥-representable functions are closed under 
primitive recursion. 


Proof. Suppose that y € N'+! —N is defined by the primitive recursive scheme 


o(,k + 1) = p(n, k, o(m, k)) , 


that y is represented by a term G : N! GN, and that 7% is represented by a 
term H : N42 _,N. We shall compute (7, k) by using a looping combinator to 
iteratively compute y(7,k — 1). Letting y stand for the arguments _7,, define 


F=df:NON.)A2:N.ca (Gy) (HY (pz) (f (pz))) . 


If we had a true Y combinator, then we could represent y by (\#:N'. YF). How- 
ever, we only need the looping behavior here in order for F' to work as required, so 
a looping combinator L; suffices. We shall show by induction on & that y(y,k) is 
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represented by (Li F .k,) for any 7. By \-abstraction, it follows immediately that 
y is represented by (Ag:N'L; F ,k,). 
For the basis, k = 0 and we have 


LiF 0,=L;F0 
> F (Liz1 F)0 
-» c0 (G9) (H ¥ (pO) (Lis: F (p 0))) 
= GZ. 


Since G represents x by hypothesis, we have that (Li F .0,) represents y(y, 0). 
For k+1 > 0, we have 


L, F &k&+1,=L; F(s,k,) 
— F (Lj41 F’) (s.k,) 
+» c(s,k,) (Gi) (HG (p (s.k.)) (List F (p (s.4,)))) 
— (HG (p (s.k,)) (Lisi F (p (s.4.)))) 
> (H 7k, (Liga F ik) . 


By induction, we know that (Li+41 Ff’ .&,) represents y(¥,k); since H represents » 
by hypothesis, it follows that (Li F .& + 1,) represents y(y,k +1). 


Proposition 4.8. The \¥-representable functions are closed under 
minimalization. 


Proof. Suppose that y € N* —N is defined by 
y(7i) = pm.x(",m) = 0 


for a numeric function y € N*+! GN such that Vit.dm.y(%,m) = 0. To compute 
(7), we shall use a looping combinator to recursively check x(7,0), then y(7, 1), 
and so on until an m is found such that x(7,m) = 0. The search will always 
terminate because we have assumed that such an m exists. It is this assumption 
that restricts the representability result to the total, as opposed to partial, recursive 
functions. 


First, let us see how to search in the simple case when k = 0. 


Claim. Suppose that > € N—N is represented by P: NN. Then 
there is a term search such that (Lo (search P) 0) -» .m,, where m = 


(um.p(m) = 0). 
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Proof. Define 
search = \g:N + N.Af:N + N.Az:N.c (g z) z (f (8 z)) . 


By induction on m — 2, we prove that (Lj (search P) ,2,) » .m,ift<m. Ifm=1 
then 7)(7) = 0; hence (P ,2,) -» 0 and we have the following reductions: 


L; (search P) 2, (search P) (Li41 (search P)) 1, 
+» c(P i,) 4, (Liga (search P) (s .2,)) 
»c0,1, (Li+1 (search P) (s 2,)) 


—7  b,. 


On the other hand, if 7 < m then ¥(?) = n 4 0 (n exists because yw is total); 
therefore (P .2,) -» .n, and we have 


Lj (search P) 1, ¢(P .4,) 4, (Li4t (search P) (s iti) 
~» c.n,.t, (Liz: (search P) (s ay) 
— Lisi (search P) (s ,7,) 
= Lj41 (search P).7+1,. 


By induction, (Li+1 (search P) i+ 1,) -» .m,. Thus, if we begin searching at 0, 
(Lo (search P) 0) will reduce to ,m, since m > 0 for any ~. # 

To complete the proof of the proposition, assume that y is represented by a 
term G : N'+1_,N. For a particular vector of arguments 7, we can compute 
um.x(7m,m) = 0 by defining 4(m) = y(7,m) and computing pm.%(m) = 0. Now 
(G 7) represents ~, therefore y is represented by the term 


F = )&:N* Lg (search (GZ))0. 
By the claim, (F .7%,) -» ,wm.x(7#,m) = 0, for any 7. 
Lemma 4.9. The recursive functions are \+-representable. 
Proof. By the preceding Propositions. & 


Corollary 4.10. The normal-form relation of the A¥-calculus 
is undecidable. 


Proof. By Lemma 4.9 and Theorem 4.2. @ 
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4.5. Embedding reduction systems 


Let R and S be two reduction systems with numerals, and let transa,s € RS 
be a translation function mapping terms of R to terms of S. If M € R, then M 
abbreviates transr.s(M). We say that transp 5 embeds R into S iff 


(1) For every m > 0, mR 5 UML, 


(2) For any M € Randn>0,M +p .n, => M 5 Tr, and 


(3) For M,N€R,M-pN=M-gN. 


In other words, the translation function preserves numerals and reduction paths 


ending at numerals, and commutes with the application operators. 


Lemma 4.11. Let F be a class of numeric functions numeralwise rep- 
resentable in R. If R can be embedded into S and, for every y € F rep- 
resented by some F € R, the unique answer condition holds for F € S, 
then the functions in ¥ are numeralwise representable in S. 


Proof. Suppose that y € N* GN is numeralwise represented by a term F € R. 
Then, for any 7 € N* and m EN, we have 


y(7) =m —- FE *R LTR —*R  TIR 
— F-riiir>s mr, 
since R can be embedded into S$. The embedding translation preserves numerals 


and commutes with term application in S, therefore F -5 ,71,5 -*s .m,g, so y is 
defined by F € S. By Lemma 4.1, ¢ is in fact represented by F’. 


Corollary 4.12. If R can be embedded into S and the recursive functions 
are numeralwise representable in R, then the normal-form relation of $ 
is undecidable. 


Proof. By Theorem 4.2 and Lemma 4.11. @ 


4.6. Undecidability in the \*-calculus 


We are now ready to prove that the normal-form relation of the \*-calculus is 
undecidable. We can compute on integers in * by adapting the polymorphic 
Church numerals [Fortune et al. 1983]. Define the numeral type 


N = Ilt:*.(t > t) 3 (tt) ; 
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then the numerals of \* are defined as 
iy, Ate Aft trait. fic , 


with the zero constant 0 = ,0,,. By inspection, it is evident that the numerals 
are distinct and that each is a closed normal form. The \*-combinators for the 


successor and conditional operators are 


& = An:N.Ati* Aft 3 t.Azit.f (at f 2). 
é = An:N.da:N.b:N.n N (Az:N.6) a. 


To define predecessor, we first need a special pairing operation on integers that is 
definable in terms of ¢. For terms M,N : N, define 


(M,N) =\n:NénMN. 
The pair (M, N) is such that ((M,.N) 0) -» M and ((M,N) (&z)) -» N. The basic 
trick behind the predecessor operation is due to [Kleene 1979] and is explained 
in [Fortune et al. 1983, p. 161]. 
p = An:N.n (NN) (Az:N + N.((8 (z 6)), (z 0))) (0,0) (80) . 
From these observations, we have 


Lemma 4.13. The \*-calculus is a reduction system with numerals. 


Proposition 4.14. The reduction rules defined for the \¥-constants c 
and p are observed by the \*-combinators ¢ and p, and (8’ 0) + , i. 


Proof by verifying the appropriate reductions. To show (s* 0) -» i,,, proceed by 
induction on 7. @ 

To embed the \¥-calculus into the \*-calculus, we must define a translation 
not only on terms but on types as well, since \“-terms may contain types. The 
translation from \¥-types to \*-terms is defined: 


NEN, 
A> B=T2:A.B. 


Because all \Y-types are built from the base type N, there is no possibility that 
z will be free in B, so we need not state this as a restriction. The \¥-terms 
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are translated as follows, where L denotes the polymorphic looping combinator 
constructed in §3: 


0=0 
S=s 
c=c 
P=p 
L; =L;(N—N)>N 
L=Lz 


Lemma 4.15. The above translation embeds \” into \*, when these 
calculi are viewed as reduction systems. 


Proof. The translation obviously commutes with the application operators. To see 
that numerals are preserved, note that, by Proposition 4.14, 


ty, = (s'0) = (8°60) > iy - 


To show that My .n, => M -», Zi, we proceed by induction on the length of 
the \4-reduction path from M to ,n,. If M 31 N by a f-reduction, then the same 
G-reduction will take place in *. If M —y N by one of the arithmetic constant 
reduction rules, then, by Proposition 4.14, a chain of one or more $-reductions 
will take M to N in *. If M 3y N by a looping combinator reduction, then, by 
Theorem 3.9, a chain of one or more §-reductions will take M to N in *. @ 


Theorem 4.16. The normal-form relation of the \*-calculus 
is undecidable. 


Proof. By Lemma 2.1, Lemma 4.9, Corollary 4.12, and Lemma 4.15. @ 
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5. Conclusion 


The main results of this thesis can be summarized as follows. 


e A family of polymorphic looping combinators can be constructed 
in the *-calculus. 


e The existence of these looping combinators implies that the re- 
duction, equational, and typing theories of the calculus are all 
undecidable. 


We now discuss some practical and theoretical consequences of these results. 


Dependent function types in programming languages. The failure of strong normal- 
ization and the undecidability of the reduction and equational theories of terms is 
not surprising for real programming languages, because in such languages we expect 
to be able to express possibly divergent recursive computations using primitives 
such as letrec. Furthermore, since typechecking may require arbitrary computa- 
tion, typechecking will be undecidable for a language with recursion and dependent 
function types whether it has a type of all types or not. 

This might seem to disqualify dependent function types as a useful feature of 
practical programming languages, but there are a number of ways to make them 
more palatable. One extreme is taken by CLU, in which parameterized procedures 
are similar to functions with dependent types. In CLU, a parameterized procedure 
can be applied only to a type or to a constant expression of some built-in type, the 
value of which can be computed at compile time. At the other extreme, a clever 
compiler could, in principle, detect any recursive computation that arises during 
typechecking by watching for invocations of letrec or other recursion constructs. 
Upon detecting a recursive computation, the compiler could either warn that the 
compilation may not terminate or simply refuse to compile the program. 

The primary consequence of our result for programming language practice is 
that this latter strategy will not work for a language with recursion that subsumes 
the \*-calculus. Recursive computations can be expressed in such a language using 
looping combinators, which cannot be detected by a compiler. One might object 
that it is unlikely that a programmer would, intentionally or otherwise, formalize 
Girard’s paradox and thereby subvert the typechecker, but we do not know that 
simpler looping combinators do not exist. 


Dependent pair types. As we saw in §3, dependent pair types correspond to ex- 
istential propositions under the propositions-as-types analogy. Dependent pair 
types seem to have first appeared in [Howard 1969], who distinguished between 
weak dependent pairs, which only have an out-like accessing operation, and strong 
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dependent pairs, which have both left- and right-hand projections. (Having a left- 
hand projection and out, but lacking a right-hand projection, the dependent pairs 
definable in the \*-calculus lie between the two.) 

[Mitchell & Plotkin 1985] observe that implementations of abstract data types 
in languages such as Ada, CLU, and ML can be modelled by weak dependent pairs. 
[MacQueen 1986] argues that weak dependent pairs are not flexible enough for 
full-fledged “programming in the large,” and proposes instead the use of strong de- 
pendent pairs. Unfortunately, the familiar polymorphic A-calculus of [Girard 1972] 
and [Reynolds 1974] augmented with strong dependent pairs admits the formal- 
ization of Girard’s paradox, which implies the failure of strong normalization, the 
ability to construct looping combinators, and thereby the undecidability of nor- 
mal forms, equality, and typing. This was discovered simultaneously by [Harper & 
Mitchell 1986] and [Hook & Howe 1986], who demonstrated that the \*-calculus 
can be simulated in the polymorphic \-calculus with strong dependent pairs, and 
by [Coquand 1986], who argued that Girard’s paradox can be carried out in such a 
language directly. The difficulties stemming from Girard’s paradox can be avoided 
either by retreating to weak dependent pairs, or by settling for a less flexible form 
of polymorphism [Mitchell & Harper 1988]. 


Kernel languages. Our interest in programming languages with dependent function 
types and the type of all types was originally sparked by [Burstall & Lampson 1984], 
which describes Pebble, a “kernel language” for abstract data types and modules. 
Pebble is a richer language than the *-calculus; it supports dependent function 
types and the type of all types, but it also includes recursion, integer and boolean 
base types, tuple types, and strong dependent pairs. Yet the type system of Pebble 
does not seem to have the full power of that of the \*-calculus. One major difference 
is that Pebble does not allow a-conversion in dependent function types, so that 
Ile:A.B and Ily:A.B[y/z]} are considered to be two distinct types. The *-calculus, 
which does not make this distinction, cannot be simulated under this restriction, 
and so our results for the *-calculus are not directly applicable to Pebble. 

Related to Pebble is the typed \-calculus of [Cardelli 1986], which is essentially 
the \*-calculus enriched with strong existential and recursive types. This language 
subsumes the \*-calculus, so our results extend to it trivially. 


5.1. Context and history of this work 


In [Meyer & Reinhold 1986] we claimed the existence of a polymorphic fixed-point 
combinator in a typed 4-calculus essentially equivalent to the *-calculus. Shortly 
before that paper was presented, I found two major flaws in the construction of the 
combinator. First, the construction relied upon features not present in the pure 
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calculus. My construction was based on the presentation in [Martin-Léf 1972], 
which implicitly uses a richer language that contains strong dependent pairs and a 
flexible primitive recursion operator for functions on integers. It appears that nei- 
ther of these constructs can be simulated in the pure \*-calculus, although this has 
not been proved. Second, even under the assumption that these features existed, 
I could not find a convincing, rigorous proof that the constructed term really was 
a fixed-point operator. On the positive side, I observed that the constructed term 
was a polymorphic looping combinator [Reinhold 1986], and I conjectured that the 
construction would lead to a true fixed-point combinator when carried out in the 
pure system. 

In the fall of 1985 we learned that Thierry Coquand had constructed, and 
checked by machine, a formalization of Girard’s paradox in an extension of his 
Calculus of Constructions [Coquand 1985a]. Encouraged by this result, in the 
spring of 1986 I began working from a preprint of [Coquand 1986] and from [Gi- 
rard 1972] to obtain a formalization of the paradox in the pure \*-calculus. It had 
been apparent beforehand that machine assistance would be required in order to 
completely check the formal construction. Even the original construction, carried 
out in a richer language, requires about five pages to write down, and checking 
it by hand is a tedious and error-prone process. The obvious complexity of the 
construction in the pure *-calculus lead to the initial design and development of 
LP in the summer of 1986. With this system, I checked my original construction 
and empirically verified that it loops under reduction. 

In the meantime, Doug Howe had been working on formalizing and analyzing 
Girard’s paradox with the aid of the NUPRL proof development system [Consta- 
ble 1986]. In the fall of 1986 a preprint of [Howe 1987] arrived, in which a more 
complete formulation of the paradox than given in [Coquand 1986] is presented. 
Howe applied my looping combinator construction method and proved that he 
obtained a looping combinator that was not a fixed-point operator. 

Using Howe’s formulation of the paradox, I was quickly able to complete my 
own formalization with the aid of LP and verify that our method was applicable 
to it, obtaining the looping combinator Lo. The paradox and the construction 
method were presented in §3, and a complete listing of Lo is given in §B. In light of 
Howe’s proof and Coquand’s more recent argument, mentioned in §3, it does not 
seem worth duplicating their work in order to rigorously prove that Lo is in fact a 
looping combinator. 

An important detail that has been missing from the published work on looping 
combinators in the \*-calculus is the fact that the existence of a looping combina- 
tor does not immediately imply the undecidability of normal forms, equations, and 
typings in the calculus. Indeed, as discussed in §4, the obvious method for prov- 
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ing undecidability, namely by showing that all partial recursive functions can be 
computed, relies upon knowing more than we do about the reduction behavior of 
looping combinators in the \*-calculus. In §4 we proved by an alternative method 
that normal forms, equations, and typings are undecidable in the \*-calculus. 


5.2. Open questions 


The claim of [Meyer & Reinhold 1986] that fixed-point operators exist in the *- 
calculus was premature, leaving open the following question: 


(1) Do fixed-point operators exist in the \*-calculus? 


It seems likely that a nonexistence proof will require semantic rather than syntactic 
methods. 

A major theme of [Meyer & Reinhold 1986] that we have not addressed here is 
the conservative extension of algebraic theories by typed \-calculi [Breazu-Tannen 
& Meyer 1987, Breazu-Tannen 1987]. An algebraic theory is conservatively ex- 
tended by a typed A-calculus if, when the function symbols and axioms of the 
theory are added to the calculus, the equations provable between algebraic terms 
in the calculus are just those that were provable in the original theory. The value 
of conservative extension theorems for reasoning about programs is that they al- 
low the familiar methods of equational reasoning to be used instead of the more 
complex methods that have been developed for reasoning about divergent computa- 
tions [Gordon et al. 1979, Paulson 1984]. In [Meyer & Reinhold 1986] we concluded 
that the \*-calculus does not conservatively extend every algebraic theory, but this 
claim depends upon the existence of a fixed-point operator. The unknown status 
of fixed-point operators and the presence of looping combinators in the \*-calculus 
raises the question: 


(2) Do looping combinators conservatively extend algebraic theories? 


To start, one might consider whether the \¥-calculus of §4 is a conservative exten- 
sion of every algebraic theory. 

We mention here that a related open question of [Meyer & Reinhold 1986] has 
been answered: The pure \*-calculus is a conservative extension of the pure \!!- 
calculus, the typed A-calculus with dependent function types [Breazu-Tannen 1986]. 

Finally, a more pragmatic question is: 


(3) Are dependent function types useful of themselves, in the ab- 
sence of the type of all types or similar constructs? 


While dependent types are not explicitly available in many current programming 
languages, they occur implicitly in a variety of ways. For example, a well-known 
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limitation of procedures in Pascal is the restriction that an array parameter must 
be of a fixed size that can be determined at compile time. Many implementations 
of Pascal overcome this problem by extending the procedure call mechanism so that 
the dimensions of an array are passed along with the array itself; the dimensions 
are made available to the called procedure via special “dimension” variables. 
There are many examples of interesting functions in real programming lan- 
guages that are typically untyped or weakly typed, but which can be accurately 
described by dependent types. Consider the format procedure available in most 
dialects of Lisp [Steele 1984] (equivalently, the printf procedure of C [Kernighan 
& Ritchie 1978]). Format is applied to a format string and some number of ar- 
guments, and patterns in the format string specify how the arguments are to be 
printed. While the first argument to format must be a string, the types of the 
remaining arguments depend upon the particular patterns given in the string. If 
we think of format as a function mapping a string to another function that will 
actually perform the output, then format can be given a dependent type, since the 
type of the returned function depends upon the value of the string argument. 
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A. The LP program 
A.1. Data structures and algorithms 


The core of the LP program is a reduction engine for typed \-terms. Terms are 
represented as graphs, much as in [Wadsworth 1971], and reduction is performed 
by a closure-based algorithm similar to that of [Aiello & Prini 1981]. 

Once reduction is implemented, it is a simple matter to implement a type 
derivation algorithm that computes the type, if any, of an arbitrary term. Due to 
the type conversion (tc) rule, the proof system for typing statements presented in 
§2 is non-deterministic. However, it is not hard to demonstrate that any provable 
typing statement has a proof in which the (tc) rule is used only at the very end of 
the proof or immediately before the (IIe) rule, to convert the type of the operand 
of an application. This observation leads to the algorithm shown below, expressed 
as a recursively defined function JT of type context — term — term. The algorithm 
traverses an input term by recursive descent, extending the context A whenever 
an abstraction term is entered. 


TA(z) =if x e€domA 
then A(z) 
else error: undeclared variable z 


TA(x*) =* 


TA(IIz:A.B) = if TA(A) #*« 
then error: type of declared variable is not of type x 
else if T(A, z:A)(B) 4 « 
then error: II-body does not have type * 
else x 


T A(Az:A.B) = if TA(A) #* 
then error: type of declared variable is not of type x 
else (IIv:A.T(A, x:A)(B)) 


TA(M N)=let A= TA(M) and B= TA(N) 
in if spi-term?(A) 
then error: operator does not have a II-type 
else if bound-var-type(A) «/» B 
then error: ill-typed application 
else pi-body(A)[N/z] 
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A.2. Syntax and sugar 


The notation for terms of the \*-calculus presented in §2 is pleasant enough for 
human consumption, but it takes some time to teach a computer how to read it. 
As LP was written in Lisp, and we already have text editors with powerful facilities 
for editing Lisp-like programs, it was decided to use the list-reading facilities of 
the Lisp implementation to parse terms input to LP. Thus the LP input language 
is different in appearance from the usual notation. Variables of the \*-calculus 
are represented by symbols in LP (alphabetic case is significant); beyond that, the 


correspondence is: 


x x 
(Az:A.M) (\z A M) 
(TIz:A.B) (!a A B) 

(MN) (M N) 


Some syntactic sugar is defined. Application, as usual, is left-associative, so 
(f a b) is equivalent to ((f a) 6). An abbreviation for (!2 A B) is (A -> B) 
if z does not occur free in B; ‘->’ is right-associative. A chain of A-abstractions 
such as (\r A (\y B (\z C ...))) may be abbreviated: 


(\ (Ca A) 
(y B) 
te°C)) 
aa) 


Chains of Il-abstractions may be abbreviated in a similar fashion. The let con- 
struct 
(let ((2 A M) 
(y BN) 
(z C O)) 
oe 


is sugar for the application 

CA (Cr A) 

(y B) 

(z C)) 

sus) 

MNO). 
Like Lisp’s “read-eval-print” loop, LP has a top-level “read-type-eval-print” 
loop that reads a term, attempts to compute its type, and, if the term is well- 
typed, prints its type and its normal form. Certain symbols are predefined as LP 
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commands; the most important of these is the def command. A term of the form 
(def x M) defines the symbol zx in the global environment to be the term M, 
if M is well-typed. After this definition, any free occurrence of z, in any term, 
will refer to M. Terms in the environment are kept in normal form for efficiency, 
but some terms (e.g., any looping combinator) do not have normal forms. The 
defx command is used in such cases; it works just like def except that it does not 
attempt to reduce the defined term to normal form. 

LP has a macro facility that is used to define local abbreviations within the 
paradox construction (they are also used in the implementation of dependent tu- 
ples, described below). A term of the form 


(mlet ((2, My) (22 Mo) +--+ (xy My)) N) 


expands into N[M/z]. Macros are expanded from the outside inwards, and ex- 
pansion takes place before typechecking is done. 


A.3. Dependent tuple types 


The formulation and proof of Girard’s paradox makes frequent use of dependent 
pair types. The paradox could, in principle, be formalized using the definitions 
of §2, but the resulting term would be rather complex. Certain propositions of 
the paradox are expressed as nested dependent pair types, entailing corresponding 
nested uses of out to get at the innermost dependent component of an element of 
such a type (e.g., consider ry, in which dependent pair types are nested six deep). 
Each use of out must mention the result type X of the function f that accesses the 
components of the dependent pair;* moreover, the dependent parts of most of the 
dependent pair types used in the paradox are themselves composed of conjunctions 
of two or three types. 

The complexity of terms involving nested dependent pair types motivated the 
introduction of dependent tuple types, a generalization of dependent pair types 
that is supported in part by the macro expansion mechanism of LP. An element 
of a dependent tuple type can be thought of as a record containing named fields 
a1:Aj, a2:A9,...,@n:An in which the type t; of field a; can depend upon the values 
of the preceding fields aj, a2,...,ai_1. Dependent pair types can also be param- 
eterized, and the type of each parameter may depend upon the values of pre- 
vious parameters. (This parameterization could have been done with ordinary 
A-abstraction, but it was more convenient for the paradox construction to include 
it as part of the dependent tuple type construct.) 


*Uses of out, which require mentioning the type A and the function B, can be eliminated by 
directly applying a dependent pair to the desired X and f, but X must still be given. 
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A dependent tuple type is declared to LP by a command of the form 


(def-dtuple (G ((pi $1) (po s2) --- (pe sk))) 
(Cay t1) (ag te) +--+ Can ta))) , 


where G is the name of the tuple type, each parameter p; has type s;, and each 
field a; has type t;. The declaration of a tuple type G causes three things to be 
defined: G is bound to a term describing the actual type of the tuple, ~G is bound 
to a constructor function that produces an element of the tuple when applied to 
actual parameters and field values of the appropriate type, and @G is bound to 
an accessor macro that can be used to “open up” an entire tuple with a single 
operation, allowing a field a of a tuple variable z to be accessed as z.a. 
Specifically, the above declaration causes G to be defined as 


G = \p:8. IX: .(Ma:t.X) > X , 
and the constructor function ~G to be defined as 
*G = ApiF.G0AX:* Af (MEX). f a 
: ps. 1at.G p. 


Finally, the accessor macro @G is defined so that (CG z g A M), for some variable 
x of type (G q), expands into 


(a A (Az.a4:t;[27a/a][ G/F] 
(Az.a2:tq[27a/a|[¢/p]--- 
(Az.anitn[z-a/a][q/p].M)---)) , 
where t{[x7a/@] denotes the simultaneous substitution of z.a; for ajint (1 <7 <n). 


In words, the application of @G evaluates the body M of type A in an environment 
with x.a; bound to the appropriate element of x, for each declared field aj. 


AT 


B. The looping combinator 


33; polymorphic looping combinator type 


(def Loop (!Z * ((Z -> Z) -> Z))) 


:33; type of relations on a type A 


(def Rel (\A * (A -> A -> *))) 


333 type of predicates on a type A 


(def Pred (\A * (A -> *))) 


333 transitivity 


(def Trans (\ ((A *) 
(dA (Pred A)) ; unused argument, to get Trans: OS-pred 
(rA (Rel A))) 
(ix A (ly A (iz A C((rA x y) -> (rA y z) -> (rA x z))))))) 


333 chains 
(def-dtuple (Predec ((A *) ; predecessor existence predicate 
(dA (Pred A)) 
(rA (Rel A)) 
(C (Pred A)) ; in chain C, 
(x A) ; for every x 
(cx (C x)))) ; in the chain, 
(Cy A) ; there isay 
(cy (C y)) ; that is in the chain 
(ryx (rA y x)))) ; and smaller than x 


(def-dtuple (Chain ((A *) 
(dA (Pred A)) 
(rA (Rel A)) 


(Cc (Pred A)))) ; chain C 
(Cz A) ; base of chain 
(ez (C z)) ; base is in chain 
(dz (dA z)) ; base is in A 
(pr C! C(x A) ; predecessors exist 
(cx (C x))) 


(Predec A dA rA C x cx))))) 
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333 well-foundedness 


(def WF (\ CCA *) 
(dA (Pred A)) 
(rA (Rel A))) 
(!C (Pred A) ((Chain A dA rA C) -> Loop)))) 


333 embedding ordered sets 


(def-dtuple (Embed ((A *) 
(dA (Pred A)) 
(rA (Rel A)) 
(B *) 
(dB (Pred B)) 
(rB (Rel B)) 


(f (A -> B)) ; embedding function 
(b B))) ; embedding bound 
€Cdb (dB b)) ; b is in domain of B 
(pres-dom (!x A ((dA x) -> (dB (f x))))) ; f£ is domain-preserving 
(mono (!x A (ty A ((dA x) ; f is monotonic 
—> (dA y) 
-> (rA x y) 


-> (rB (f x) (£ y)))))) 
(dominate ('x A ((dA x) -> (rB (f x) b)))))) ; b dominates ran f 


333 ordering on ordered sets based on embedding 


(def-dtuple (Embed-ord ((A *) 

(dA (Pred A)) 
(rA (Rel A)) 
(B *) 
(dB (Pred B)) 
(xB (Rel B)))) 

((£ (A -> B)) ; embedding function exists 

(b B) ; embedding bound exists 

(m (Embed A dA rA B dB rB f b)))) ; together they define an embedding 
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333 intensional equality (directed from left to right) 


(def Eq (\ (CA #) 
(x A) 
(y &)) 
C1? (Pred A) (@ 2) -> (P y))))) 


333 intensional equality is reflexive, symuetric, and treneitive 


(def eq-ref (\ (CA ©) 
(x A) 
(: Gig Ax x) 
\ CC® red a)) 
(p ( x))) 
p)>)) 


(def eq-sym (\ ((A *) 
(x A) 
(y A) 
Ce (iq Ax y))) 
(; Gq ay x) 
Ce Cw A eg A x x)) 
"(egret A x))))) 


(def eq-trans (\ ((A ¢) 
(x A) 
(y a) 
(w a) 
(p @q Ax y)) 
(q (Bq Ay =))) 
(: (gq Ax &) 
(q (Ww A (@q A x ¥)) p>) 
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333 universal type of ordered sets, and the injection into it 
(def OS-pred (!A * ((Pred A) -> (Rel A) -> *))) ; type of predicates on ordered sets 
(def U (OS-pred -> *)) ; type of predicates on 0S-predicates 


(def inj (\ (CA *) ; injection into U 
(dA (Pred A)) 
(rA (Rel A))) 
(: U 
(\x 0S-pred 
(x A dA rA))))) 


33; Lemma 1. If (inj OA) = (inj OB) and (P 0A), then (P OB). 


(def lemmai (\ ((A *) 
(dA (Pred A)) 
(rA (Rel A)) 
(B *) 
(dB (Pred B)) 
(rB (Rel B)) 
(e (Eq U (inj A dA rA) (inj B dB rB))) 
(P 0S-pred) 
(pA (P A dA rA))) 
(: (P B dB rB) 
Ce (\u U (u P)) pA)))) 


33; domain predicate on U: transitive, well-founded ordered sets only 


(def-dtuple (dU ((u U))) 
CCA *) ; ordered set OA exists 
(dA (Pred A)) 
(rA (Rel A)) 


(e (Eq U u (inj A dA rA))) ; u = Cinj OA) 
(t (Trans A dA rA)) ; OA is transitive 
(w (WF A dA rA)))) ; OA is well-founded 


333 ordering on elements of U: by embedding 


(def-dtuple (rU ((u U) 
(v U))) 

(CA *) 

(dA (Pred A)) 

(rA (Rel A)) 

(B *) ; ordered set OB exists 
(dB (Pred B)) 

(xB (Rel B)) 

(i (Eq U u (inj A dA rA))) ; u=OA 

(j (Eq U v (inj B dB rB))) ; v = OB 

(o (Embed~-ord A dA rA B dB rB)))) ; OA < OB 


ordered set OA exists 
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333; Lemma 2a. If (dU (inj 0A)), then (Trans OA). 


(def lemma2a 
CA (a #) 
(ai (Pred A)) 
‘(rA (Rel A)) 
(a (QU (inj A dé rA)))) 
(ed 4 
(inj A dA rA) 
(Trans A dA rA) 
33 apply lenmatl 
Clemmai d.A d.dA d.rA 
Ada ra 


(eq-eya U (inj A dA rA) (inj d.d 4.d& d.rA) d.e) 
Trans 


a.t)))) 


33; Lemma 2. If (dU (inj OA)), then (WF OA). 
333 Identical in structere to leamala, except for result. 


(def lemma2b 
(\ (Ca ®) 
(dA (Pred A)) 
(ra (Rel A)) 
(a4 (aU (inj A d& rA)))) 
(edu 4 
(inj A 44 rA) 
(WF A GA ri) 
33 apply leamai 
Clemmai d.A d.dA d.rA 
A dh vA 


(eq-aym U (inj A dA rA) (inj 4.4 d.dA d.rA) 4.0) 
WF 


d.w)))) 
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:3;; Lemma 3. If OA < OB, and fBC, bBC embed OB into OC, then there exist fAC, bAC 
333 embedding OA into OC such that (rC bAC bBC). 


(def-dtuple (L3-conseq ((A *) ; type of consequence of lemma3 

(dA (Pred A)) 
(rA (Rel A)) 
CC *) 
(dC (Pred C)) 
(rC (Rel C)) 
(bBC C))) 

C(£ (A -> 6)) 

(b C) 

(m (Embed A dA rA C dC rC f b)) 

(rb (rC b bBC)))) 


(def lemma3 
CN CCA *) 

(dA (Pred A)) 
(rA (Rel A)) 
(B *) 
(dB (Pred B)) 
(xB (Rel B)) 
(Cc *) 
(dC (Pred C)) 
(rC (Rel C)) 
(oAB (Embed-ord A dA rA B dB rB)) 
(£BC (B -> C)) 
(bBC C) 
(mBC (Embed B dB rB C dC rC fBC bBC))) 


(mlet ((RT (L3-conseq A dA rA C dC rC bBC))) ; result type 


(@Embed-ord 3; open oAB 
oAB 
A dA rA B GB rB RT 
(@Embed ; open oAB.m 
oAB.m 
A dA rA B GB rB oAB.f oAB.b RT 
(@Embed ; open mBC 
mBC 
B dB rB C dC rC £BC bBC RT 
(mlet ((f (\x A (£BC (oAB.f x)))) ; function mapping A -> C 
(b (£BC oAB.b))) ; upper bound on its range 
(“L3-conseq A dA rA C dC rC bBC ; construct consequence 
f 
b 


3; embedding of A into C 
("Embed A dA rA C dC rC 
fb 
33 b in domain of C 
(mBC.pres-dom oAB.b oAB.m.db) 
3; £ preserves domain 
(\ Cx A) 
(dx (dA x))) 
(mBC.pres-dom (oAB.f x) 
(oAB.m.pres-dom x dx))) 
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3; £ is monotonic 
(\ Ctx A) 
Cy A) 
(dx (dA x)) 
(dy (dA y)) 
(rxy (rA x y))) 
(mBC.mono (oAB.f x) 
(oAB.f y) 
(oAB.m.pres-dom x dx) 
(oAB.m.pres-dom y dy) 
(oAB.m.mono x y dx dy rxy))) 
$3 ran f dominated by b 
C\ (Cx AD 
(dx (dA x))) 
(mBC.mono (oAB.f x) 
oAB.b 
(oAB.m.pres-dom x dx) 
oAB.m.db 
(oAB.m.dominate x dx)))) 
$3 proof that (rC b bBC) 
(mBC.dominate oAB.b oAB.m.db))))))))) 


333 Corollary 4. Embed-ord is transitive. 


(def cor4 

(\ CCA *) 
(dA (Pred A)) 
(rA (Rel A)) 
(B *) 
(dB (Pred B)) 
(rB (Rel B)) 
(Cc *) 
(dC (Pred C)) 
(r€ (Rel C)) 
(oAB (Embed-ord A dA rA B dB rB)) 
(oBC (Embed-ord B dB rB C dC rC))) 


(mlet ((RT (Embed-ord A dA rA C dC rC))) ; result type 
(@Embed-ord oBC 
B dB rB C dC rc RT 
(let ((1 (L3-conseq A dA rA C dC rC oBC.b) 
(lemma3 A dA rA B dB rB C dC rC 
oAB oBC.f oBC.b oBC.m))) 
(@L3~-conseq 1 
A dA rA C dC rC oBC.b RT 
(*Embed-ord A dA rA C dC rC 
1.f 
1.b 
1.m))))))) 
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3; Lemma 5. (Trans OU). 


(def lemma5 
(\ CQal U) 
(u2 U) 
(u3_ U) 

(r (rU ul u2)) 

(s (rU u2 03))) 


§B 


(mlet ((RT (rU ul u3))) ; result type 
(@rU ; open r 
r 
ui u2 RT 
(@rU ; open s 
s 
u2 u3 RT 
(rrU ul u3 ; construct consequence 


v.Ar.dA r.rA 
s.B s.dB s.rB 
3; proof that 
rei 

33 proof that 
8.j 

3; (Embed-ord 


ul = (inj r.0A) 


u3 = (inj s.0B) 


r.OA s.0B) 


(cor4 r.Ar.dA r.rA ; by transitivity of Embed-ord 
s.As.dA s.rA 
s.B s.dB s.rB 


33 r.0A 
(lemma1 


< s.0A follows from r.0B = s.0A and r.o : r.OA < r.OB 
r.B r.dB r.rB ; connects r.0B to s.0A 
s.As.dA 3.rA 
33 proof that (inj r.0B) = (inj s.0A) 
(eq-trans U (inj r.B r.dB r.rB) u2 (inj s.A s.dA s.rA) 
33 proof that (inj r.0B) = u2 
Ceq-sym U u2 (inj r.B r.dB r.rB) r.j) 
s.i) ; proof that u2 = (inj s.0A) 
3; OS-pred true of r.0B; lemmai will prove it for s.0A 
N CX *) 
(dX (Pred X)) 
(rX (Rel X))) 
(Embed-ord r.A r.dA r.rA 
X dX rX)) 
3; proof that above OS-pred is true of r.0B 
r.o) 


33 proof of s.0A < s.0B 
s.0))))))) 


THE LOOPING COMBINATOR 


33; Lemma 6. (WF U dU rU). 
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(def-dtuple (D-chain ((C (Pred U)) ; chain constructed in an ordered set OA 


(A *) 
(dA (Pred A)) 
(rA (Rel A)) 


(a A))) ; element of D chain to consider 
((B *) ; preceding ordered set OB 
(dB (Pred B)) 
(rB (Rel B)) 
(f£ (B -> A)) ; embedding function from B to A 
(ci (C (inj B dB rB))) ; proof that OB is in C chain 
(m (Embed B dB rB A dA rA f a)))) ; proof that f embeds OB into OA, 
; bounded by a 
(def lemma6 

(\ ((C (Pred U)) ; chain in U 

(c (Chain U dU rU C)) ; proof that C is a chain 

(T *) ; *® looping type ** 

(4T (T -> T))) ; *#* looping function ** 

(@Chain ; open c 

c 

U aU ruU C 

T ; result type 

(mlet ((uZ c.z) ; uZ is base of chain C 

(duZ c.dz) ; uZ in dU 
(cuZ c.cz)) ; uZ in chain 


(let ((cp (Predec U dU rU C c.z c.cz) ; predecessor of uZ exists and is in ¢ 
(c.pr c.z c.cz))) 
(@Predec ; open predecessor proof 
cp 
U dU rU C c.zc.czT 
(@rU 
cp.ryx 
cp.y c.z T 
(mlet ((Z cp.ryx.B) (dZ cp.ryx.dB) (rZ cp.ryx.rB) ; the actual OZ 
(Wo cp.ryx.A) (dW cp.ryx.dA) (rW cp.ryx.rA)) ; OW is used in basis 


;; prove that 0Z is WF, then apply this to a chain constructed within 0Z 


(£T ; ** one loop iteration ** 
(lemma2b ; this will prove (WF 0Z) 

Z dZ rZ 

(cp.ryx.j dU duZ) ; proof that (inj 0Z) is in dU 


(D-chain C Z dZ rZ) ; chain in 0Z 


$B 


33 proof that (D-chain C Z dZ rZ) is a chain 
(@£abed-ord 

cp.ryx.o 

W 40 r¥ Z AZ rZ 

(Chain Z 4Z rZ (D-chain C Z dZ rZ)) 
(@Emded 

Cp.ryz.0.m 

W 48 rW 2 42 rZ cp.ryx.o.f cp.ryxz.o.b 


(Chain Z dZ rZ (D-chain C Z €Z £2)) 
("Chain 
Z a2 xrZ (D-chain ¢ Z dZ rZ) 


3; base of chain in 0Z is embedding bound frem proof of OW < 02 
cp.ryxz.o.b 


3} proof that bese is in D-chain 
(*Dechain C Z dz rZ isa 


Wav xl i preceding evdered set V 
cp.ryxz.o.f + enbadding sabing Shah's t0 2 
Cop.ryx.i C cp.cy) 3 W fe ia ¢ Le 

cp. ryx.o.m) jt eubeds © tate 7 


33 proof that base satisfies 42 Coomes from proof of OW < 0Z) 
cp. ryx.o.m.db 
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;3 proof that predecessors exist 


(\ Ca Z) 


(da (D-chain C Z dZ rZ a))) ; 


; for every a in 0Z 
that is in chain D... 


(mlet ((RT (Predec Z dZ rZ (D-chain C Z dZ rZ) a da))) 


(@D-chain 
da 
C Z dZrZ a RT 


; open da 


(mlet ((Y da.B) (dY da.dB) (rY da.rB)) 
3; OY < OZ and (C (inj OY)) by da; since OY is in the 
3; chain C, we can find its predecessor by applying c.pr 
(let ((dp (Predec U dU rU C (inj Y dY rY) da.ci) 


(@Predec 
dp 


(c.pr (inj Y dY¥ rY) da.ci))) 


; open dp 


U dU rU C (inj Y dY rY) da.ci RT 


(OrU 
dp.ryx 


3; open dp.ryx 


dp.y (inj Y dY rY) RT 
(mlet ((X dp.ryx.A) (dX dp.ryx.dA) (rX dp.ryx.rA) 
(Y~ dp.ryx.B) (dY~ dp.ryx.dB) (rY~ dp.ryx.rB)) 
3; OX < OY~ and (C (inj OX)), 
33; 80 apply lemma3 to get OX < OZ 
(let ((1 (L3-conseq X dX rX Z dZ rZ a) 
(lemma3 X dX rX Y dY rY Z dZ rZ 


(@L3-conseq 
1 


3; proof that OX < OY from OX < OY~ 
(lemmai Y~ dY~ rY~ Y dY rY 
(eq-sym U (inj Y dY rY) 
(inj Y~ dY~ rY~) 
dp. ryx.j) 
(\ CCA *) 
(dA (Pred A)) 
(rA (Rel A))) 
(Embed-ord X dX rX A dA rA)) 
dp.ryx.o) 
3; embedding from OY to 0Z 
da.f a da.m))) 
; open lemma3 result 


X dX rX Z dZ rZ a RT 
3; proof that 1.b is predecessor of a in D chain 


(*Predec 


Z dZ rZ (D-chain C Z dZ rZ) a da 


1.b 


3:3; proof that 1.b is in D 
(*D-chain C Z dZ rZ 1.b 


X dX rX ; preceding set is OX 
1.f ; embedding function is f 
(dp.ryx.i C dp.cy) ; OX is in C 
1.m) ; £, 1.b embed OX into 0Z 
33; proof that 1.b precedes a in 0Z 
l.rb) 
YI)? 


T fT) 
YI) 


; ** looping arguments to lemma2b ** 
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;3; Initial segments of ordered sets. 


(def-dtuple (Seg ((A *) ; segment of DA 
(dA (Pred A)) 
(rA (Rel A)) 


(a A) ; determined by a 
(x A))) 
((d (dA x)) : x is in OA 
(r (rA x a)))) ; x less than a 


33; Lemma 7. If (dU OA) and (dA a) for some a: A, then (dU (inj OAa)). 


(def lemma7 
(\ CCA *) 
(dA (Pred A)) 
(rA (Rel A)) 
(a A) 
(di (dU (inj A dA rA))) 
(da (dA a))) 


(mlet ((iA (inj A dA rA)) ; injection of 0A into U 
(sA (Seg A dA rA a))) ; segment of OA we’re interested in 
C(@dU di iA ; open di 
(dU (inj A sA rA)) ; result type 
(let ((t (Trans A dA rA) ; given proof that OA is transitive 
(lemma2a A dA rA di)) 
(w (WF A dA rA) ; given proof that OA is well-founded 


(lemma2b A dA rA di))) 

3; prove that (inj OAa) satisfies dU 
(“dU (inj A sA rA) 

A sArA 

3; proof that (inj OAa) = (inj OAa) 

(eq-ref U (inj A sA rA)) 

3; OAa is transitive 

t 

;; OAa is WF since a chain in the segment is a chain in the set 

(\ (CC (Pred A)) 

(c (Chain A sA rA C))) 


(@Chain c A sA rA C ; open c 
Loop ; result type 
(@Seg c.dz A dA rA a c.z ; open c.dz 
Loop ; result type 
wc 
("Chain A dA rA C 
c.Z 
C.cZ 
c.dz.d 
¢.pr))))))))))) 
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33; Lemma 8. If (dU (inj 0A)), then OA < QU. 


(def lemma8 
(\ CCA *) 
(dA (Pred A)) 
(rA (Rel A)) 
(di (dU (inj A dA rA)))) 
(mlet ((f (\x A (inj A (Seg A dA rA x) rA))) ; mapping A -> U 
(b (inj A dA rA))) ; bound on mapping 
33 Prove that f embeds OA into U, bounded by b 
("Embed-ord A dA rA U dU rU f b 
("Embed A dA rA U dU rU f b 


3; embedding bound satisfies domain 
di 


;; £ preserves domain 
(A CCx A) 
(dx (dA x))) 
(lemma7 A dA rA x di dx)) 


33; f is monotonic 
(\ C(x A) 
Cy A) 
(dx (dA x)) 
(dy (dA y)) 
(rxy (rA x y))) 
(mlet ((sx (Seg A dA rA x)) ; segment determined by x 
(sy (Seg A dA rA y))) ; segment determined by y 
("rU (f x) (f y) 
A sx rA 
A sy rA 
(eq-ref U (inj A sx rA)) 
(eq-ref U (inj A sy rA)) 
(mlet ((fA (\x A x))) ; mapping A -> A 
33 prove that fA embeds (f x) into (f y), bounded by x 
("Embed-ord A sx rA 
A sy rA 
fA x 
(-Embed A sx rA 
A sy rA 
fA x 
33; bound x is in domain of (f y) 
("Seg A dA rA y x dx rxy) 
33 £A preserves domain 
CO (a A) 
(da (sx a))) 
(@Seg da 
A dA rAxa 
(Seg A dA rA y a) 
("Seg AdA rAya 
da.d 
((lemma2a A dA rA di) 
axy 
da.r rxy)))) 


a9 


3; fA is monotonic 
CO (Ca A) 
(b A) 
(da (sx a)) 
(db (sx b)) 
(rab (rA a b))) 
rab) 
$; x dominates ran fA 
C\ (Ca A) 
(da (sx a))) 
(@Seg da 
A dArAxa 
(rA a x) 
da.r)))))))) 


3; b dominates ran f 
(\ C(x A) 
(dx (dA x))) 
(mlet ((sx (Seg A dA rA x))) ; segment determined by x 
(-rU (f£ x) b 
Asx rA 
A dArA 
(eq-ref U (inj A sx rA)) 
(eq-ref U (inj A dA rA)) 
(mlet ((fA (\x A x))) ; mapping A -> A 
;} prove that fA embeds (f x) into OA, bounded by x 
("Embed-ord A sx rA 
A dA rA 
fA x 
("Embed A sx rA 
A dArA 
fA x 
3; bound is in domain 
dx 
3; £A preserves domain 
(\ (Ca AD 
(da (sx a))) 
(@Seg da 
AdArAxa 
(dA a) 
da.d)) 
;; fA preserves order 
(\ C(a AD 
(b A) 
(da (sx a)) 
(db (sx b)) 
(rab (rA a b))) 
rab) 
33 x dominates ran fA 
C\ Cla AD 
(da (sx a))) 
(@Seg da 
A dA rAxa 
(rA a x) 
da.r)))))))) ))))) 


§B 


THE LOOPING COMBINATOR. . 61 


333 Contradiction. 


(def u (inj U dU rvU)) 


caer 


(eq-ref U u) 
(eq-ref U u) 
Clemma8 U dU rU du))) 


(def C (\w U (Eq U vw u))) 


(def cC (“Chain U dU rU ¢ 


; injection of @ inte itself 


3; (4 uw) 


3 (2U 8 a) 


a + base of chain 

(eq~ref U u) 3 base fa in C, 

du 3 and in @ 

(\ Cw U) - 3 gredeceguer of any v 
(ev (6 w))) 3 that is in 
(*Predec U @ rU C ¥ cv 

a 3 is u, 
(eqrref U u) + wWaich is in © also, 
(Ceq-syu Uvucv) ; end is sualfer than u 


(defx loop (lemmaé ¢ cC)) 


(Ww U GU a w)) xe) 
»)»>) 


s Q.B.D. 
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